diff --git a/architecture/authentication.adoc b/architecture/authentication.adoc index 14be2a3d27b7..8cff881e9bc3 100644 --- a/architecture/authentication.adoc +++ b/architecture/authentication.adoc @@ -163,13 +163,18 @@ To configure how usernames and passwords are validated, set the `OPENSHIFT_OAUTH * `anypassword` ** Any non-empty username and password combination is accepted +* `htpasswd` +** Validates usernames and passwords against a flat-file generated using http://httpd.apache.org/docs/2.4/programs/htpasswd.html[htpasswd] +** Only MD5 and SHA encryption types are supported. MD5 encryption is recommended, and is the default for htpasswd. Plaintext, crypt, and bcrypt hashes are not currently supported. +** Requires the environment variable `OPENSHIFT_OAUTH_HTPASSWD_FILE` be set to the path of an htpasswd-generated file +** The file is re-read if its modification time changes, without requiring a server restart * `basicauthurl` ** The username and password are validated against a protected JSON-returning remote URL, using basic auth: *** A 401 response indicates failed auth. *** A non-200 status or the presence of an "error" key with a non-empty value indicates an error: `{"error":"Error message"}` *** A 200 status with an "id" key indicates success: `{"id":"userid"}` *** A successful response may also include name and/or email: `{"id":"userid", "name": "User Name", "email":"user@example.com"}` -** Requires the environment variable `OPENSHIFT_OAUTH_BASIC_AUTH_URL` to be set to the remote URL +** Requires the environment variable `OPENSHIFT_OAUTH_BASIC_AUTH_URL` be set to the remote URL * `deny` ** Any username and password combination is denied @@ -264,6 +269,21 @@ OPENSHIFT_OAUTH_SESSION_MAX_AGE_SECONDS=300 <6> <5> Name of the cookie to save the session in <6> Let sessions last up to 5 minutes +==== htpasswd-generated file +To validate usernames/passwords against a file generated by http://httpd.apache.org/docs/2.4/programs/htpasswd.html[htpasswd]: +``` +OPENSHIFT_OAUTH_REQUEST_HANDLERS=session,basicauth +OPENSHIFT_OAUTH_HANDLER=login +OPENSHIFT_OAUTH_PASSWORD_AUTH=htpasswd +OPENSHIFT_OAUTH_HTPASSWD_FILE=path/to/users.htpasswd +``` + +To create the file: `htpasswd -c ` + +To add or update a user to the file: `htpasswd ` + +To remove a user from the file: `htpasswd -D ` + ==== External basic auth To validate usernames/passwords against an external URL using basic auth: ```