93 lines
4 KiB
Text
93 lines
4 KiB
Text
|
|
==== OpenShift 3
|
|
|
|
.Procedure
|
|
. Click *Identity Providers* in the menu.
|
|
. From the `Add provider` list, select `Openshift`.
|
|
+
|
|
.Add identity provider
|
|
image:{project_images}/openshift-add-identity-provider.png[Add Identity Provider]
|
|
+
|
|
. Copy the value of *Redirect URI* to your clipboard.
|
|
. Register your client using the `oc` command-line tool.
|
|
+
|
|
[source,subs="attributes+"]
|
|
----
|
|
$ oc create -f <(echo '
|
|
kind: OAuthClient
|
|
apiVersion: v1
|
|
metadata:
|
|
name: kc-client <1>
|
|
secret: "..." <2>
|
|
redirectURIs:
|
|
- "http://www.example.com/" <3>
|
|
grantMethod: prompt <4>
|
|
')
|
|
----
|
|
|
|
<1> The `name` of your OAuth client. Passed as `client_id` request parameter when making requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token`.
|
|
<2> The `secret` {project_name} uses for the `client_secret` request parameter.
|
|
<3> The `redirect_uri` parameter specified in requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`. You can obtain this from the *Redirect URI* field in the Identity Provider screen
|
|
<4> The `grantMethod` {project_name} uses to determine the action when this client requests tokens but has not been granted access by the user.
|
|
+
|
|
. In {project_name}, paste the value of the *Client ID* into the *Client ID* field.
|
|
. In {project_name}, paste the value of the *Client Secret* into the *Client Secret* field.
|
|
ifeval::[{project_community}==true]
|
|
. Click *Add*.
|
|
endif::[]
|
|
ifeval::[{project_product}==true]
|
|
. Click *Save*.
|
|
endif::[]
|
|
|
|
==== OpenShift 4
|
|
|
|
.Prerequisites
|
|
. Installation of https://stedolan.github.io/jq/[jq].
|
|
. `X509_CA_BUNDLE` configured in the container and set to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
|
|
|
|
.Procedure
|
|
. Run the following command on the command line and note the OpenShift 4 API URL output.
|
|
+
|
|
[source,subs="attributes+"]
|
|
----
|
|
curl -s -k -H "Authorization: Bearer $(oc whoami -t)" \https://<openshift-user-facing-api-url>/apis/config.openshift.io/v1/infrastructures/cluster | jq ".status.apiServerURL"
|
|
----
|
|
+
|
|
. Click *Identity Providers* in the {project_name} menu.
|
|
. From the `Add provider` list, select `Openshift`.
|
|
+
|
|
.Add identity provider
|
|
image:{project_images}/openshift-4-add-identity-provider.png[Add Identity Provider]
|
|
+
|
|
. Copy the value of *Redirect URI* to your clipboard.
|
|
. Register your client using the `oc` command-line tool.
|
|
+
|
|
[source, subs="attributes+"]
|
|
----
|
|
$ oc create -f <(echo '
|
|
kind: OAuthClient
|
|
apiVersion: oauth.openshift.io/v1
|
|
metadata:
|
|
name: keycloak-broker <1>
|
|
secret: "..." <2>
|
|
redirectURIs:
|
|
- "<copy pasted Redirect URI from OpenShift 4 Identity Providers page>" <3>
|
|
grantMethod: prompt <4>
|
|
')
|
|
----
|
|
|
|
<1> The `name` of your OAuth client. Passed as `client_id` request parameter when making requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token`. The `name` parameter must be the same in the `OAuthClient` object and the {project_name} configuration.
|
|
<2> The `secret` {project_name} uses as the `client_secret` request parameter.
|
|
<3> The `redirect_uri` parameter specified in requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`. The easiest way to configure it correctly is to copy-paste it from {project_name} OpenShift 4 Identity Provider configuration page (`Redirect URI` field).
|
|
<4> The `grantMethod` {project_name} uses to determine the action when this client requests tokens but has not been granted access by the user.
|
|
+
|
|
. In {project_name}, paste the value of the *Client ID* into the *Client ID* field.
|
|
. In {project_name}, paste the value of the *Client Secret* into the *Client Secret* field.
|
|
ifeval::[{project_community}==true]
|
|
. Click *Add*.
|
|
endif::[]
|
|
ifeval::[{project_product}==true]
|
|
. Click *Save*.
|
|
endif::[]
|
|
|
|
See https://docs.okd.io/latest/authentication/configuring-oauth-clients.html#oauth-register-additional-client_configuring-oauth-clients[official OpenShift documentation] for more information.
|