diff --git a/architecture/additional_concepts/authentication.adoc b/architecture/additional_concepts/authentication.adoc index 37077cb775f4..4c62273b3460 100644 --- a/architecture/additional_concepts/authentication.adoc +++ b/architecture/additional_concepts/authentication.adoc @@ -82,7 +82,7 @@ OAuth configuration is specified in the master config file. When running without a master config file, the `AllowAllPasswordIdentityProvider` identity provider is used, which allows any non-empty username and password to log in. This is useful for test purposes. -To use other identity providers, you must run from a config file. For more information about creating and running from config files, see link:../using_openshift/master_node_configuration.html[Master and Node Configuration]. +To use other identity providers, you must run from a config file. For more information about creating and running from config files, see link:../../dev_guide/master_node_configuration.html[Master and Node Configuration]. === Identity providers @@ -279,12 +279,14 @@ oauthConfig: kind: GoogleIdentityProvider clientID: ... <4> clientSecret: ... <5> + hostedDomain: "" <6> ---- <1> This provider name is prefixed to the Google numeric user id to form an identity name. It is also used to build the redirect URL. <2> `GoogleIdentityProvider` cannot be used to send WWW-Authenticate challenges. <3> When `true`, unauthenticated token requests from web clients (like the web console) will be redirected to Google to log in. <4> The client id of a link:https://console.developers.google.com/[registered Google project]. The project must be configured with a redirect URI of `/oauth2callback/` <5> The client secret issued by Google. +<6> Optional link:https://developers.google.com/identity/protocols/OpenIDConnect#hd-param[hosted domain] to restrict sign-in accounts to. If empty, any Google account is allowed to authenticate. ==== ==== OpenID Connect [[OpenID]] @@ -345,7 +347,7 @@ oauthConfig: <8> link:http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint[Token Endpoint] described in the OpenID spec. Must use https. ==== -A custom certificate bundle, extra scopes, and UserInfo URL can also be specified. +A custom certificate bundle, extra scopes, extra authorization request parameters, and UserInfo URL can also be specified. Full config: ==== @@ -365,32 +367,35 @@ oauthConfig: extraScopes: <2> - email - profile + extraAuthorizeParameters: <3> + include_granted_scopes: "true" claims: - id: <3> + id: <4> - custom_id_claim - sub - preferredUsername: <4> + preferredUsername: <5> - preferred_username - email - name: <5> + name: <6> - nickname - given_name - name - email: <6> + email: <7> - custom_email_claim - email urls: authorize: https://myidp.example.com/oauth2/authorize token: https://myidp.example.com/oauth2/token - userInfo: https://myidp.example.com/oauth2/userinfo <7> + userInfo: https://myidp.example.com/oauth2/userinfo <8> ---- <1> Certificate bundle to use to validate server certificates for the configured URLs. If empty, system trusted roots are used. -<2> List of scopes to request (in addition to the `openid` scope) during the authorization request. -<3> List of claims to use as the identity. First non-empty claim is used. At least one claim is required. If none of the listed claims have a value, authentication will fail. -<4> List of claims to use as the preferred username when provisioning a user for this identity. First non-empty claim is used. -<5> List of claims to use as the display name. First non-empty claim is used. -<6> List of claims to use as the email address. First non-empty claim is used. -<7> link:http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] described in the OpenID spec. Must use https. +<2> Optional list of scopes to request (in addition to the `openid` scope) during the authorization token request. +<3> Optional map of extra parameters to add to the authorization token request. +<4> List of claims to use as the identity. First non-empty claim is used. At least one claim is required. If none of the listed claims have a value, authentication will fail. +<5> List of claims to use as the preferred username when provisioning a user for this identity. First non-empty claim is used. +<6> List of claims to use as the display name. First non-empty claim is used. +<7> List of claims to use as the email address. First non-empty claim is used. +<8> link:http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] described in the OpenID spec. Must use https. ==== === Token options