Skip to content

Doc for hostedDomain, extraAuthorizeParameters #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adellape merged 1 commit into from
Apr 17, 2015
Merged

Doc for hostedDomain, extraAuthorizeParameters #306

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 18 additions & 13 deletions architecture/additional_concepts/authentication.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ OAuth configuration is specified in the master config file.

When running without a master config file, the `AllowAllPasswordIdentityProvider` identity provider is used, which allows any non-empty username and password to log in. This is useful for test purposes.

To use other identity providers, you must run from a config file. For more information about creating and running from config files, see link:../using_openshift/master_node_configuration.html[Master and Node Configuration].
To use other identity providers, you must run from a config file. For more information about creating and running from config files, see link:../../dev_guide/master_node_configuration.html[Master and Node Configuration].

=== Identity providers

Expand Down Expand Up @@ -279,12 +279,14 @@ oauthConfig:
kind: GoogleIdentityProvider
clientID: ... <4>
clientSecret: ... <5>
hostedDomain: "" <6>
----
<1> This provider name is prefixed to the Google numeric user id to form an identity name. It is also used to build the redirect URL.
<2> `GoogleIdentityProvider` cannot be used to send WWW-Authenticate challenges.
<3> When `true`, unauthenticated token requests from web clients (like the web console) will be redirected to Google to log in.
<4> The client id of a link:https://console.developers.google.com/[registered Google project]. The project must be configured with a redirect URI of `<master>/oauth2callback/<identityProviderName>`
<5> The client secret issued by Google.
<6> Optional link:https://developers.google.com/identity/protocols/OpenIDConnect#hd-param[hosted domain] to restrict sign-in accounts to. If empty, any Google account is allowed to authenticate.
====

==== OpenID Connect [[OpenID]]
Expand Down Expand Up @@ -345,7 +347,7 @@ oauthConfig:
<8> link:http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint[Token Endpoint] described in the OpenID spec. Must use https.
====

A custom certificate bundle, extra scopes, and UserInfo URL can also be specified.
A custom certificate bundle, extra scopes, extra authorization request parameters, and UserInfo URL can also be specified.

Full config:
====
Expand All @@ -365,32 +367,35 @@ oauthConfig:
extraScopes: <2>
- email
- profile
extraAuthorizeParameters: <3>
include_granted_scopes: "true"
claims:
id: <3>
id: <4>
- custom_id_claim
- sub
preferredUsername: <4>
preferredUsername: <5>
- preferred_username
- email
name: <5>
name: <6>
- nickname
- given_name
- name
email: <6>
email: <7>
- custom_email_claim
- email
urls:
authorize: https://myidp.example.com/oauth2/authorize
token: https://myidp.example.com/oauth2/token
userInfo: https://myidp.example.com/oauth2/userinfo <7>
userInfo: https://myidp.example.com/oauth2/userinfo <8>
----
<1> Certificate bundle to use to validate server certificates for the configured URLs. If empty, system trusted roots are used.
<2> List of scopes to request (in addition to the `openid` scope) during the authorization request.
<3> List of claims to use as the identity. First non-empty claim is used. At least one claim is required. If none of the listed claims have a value, authentication will fail.
<4> List of claims to use as the preferred username when provisioning a user for this identity. First non-empty claim is used.
<5> List of claims to use as the display name. First non-empty claim is used.
<6> List of claims to use as the email address. First non-empty claim is used.
<7> link:http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] described in the OpenID spec. Must use https.
<2> Optional list of scopes to request (in addition to the `openid` scope) during the authorization token request.
<3> Optional map of extra parameters to add to the authorization token request.
<4> List of claims to use as the identity. First non-empty claim is used. At least one claim is required. If none of the listed claims have a value, authentication will fail.
<5> List of claims to use as the preferred username when provisioning a user for this identity. First non-empty claim is used.
<6> List of claims to use as the display name. First non-empty claim is used.
<7> List of claims to use as the email address. First non-empty claim is used.
<8> link:http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] described in the OpenID spec. Must use https.
====

=== Token options
Expand Down