Configuring OpenShift OAuth

For users to interact with OpenShift, they must first authenticate to the OpenShift cluster. OpenShift OAuth is a process in which users prove themselves to a cluster through an API with obtained OAuth access tokens.

Authentication with the OpenShift Connector overview is a possible way for Che users to authenticate with an OpenShift cluster.

The following section describes the OpenShift OAuth configuration options and its use with a Che.

Prerequisites
  • The oc tool is available.

Procedure
  • To enable OpenShift OAuth automatically, deploy Che using the chectl with the --os-oauth option. See the chectl server:start specification chapter.

  • For Che deployed in single-user mode:

    1. Register Che OAuth client in OpenShift. See the Register an OAuth client in OpenShift chapter.

      $ oc create -f <(echo '
      kind: OAuthClient
      apiVersion: oauth.openshift.io/v1
      metadata:
       name: che
      secret: "<random set of symbols>"
      redirectURIs:
       - "<Che api url>/oauth/callback"
      grantMethod: prompt
      ')
    2. Add the OpenShift TLS certificate to the Che Java trust store.

    3. Update the OpenShift deployment configuration.

      CHE_OAUTH_OPENSHIFT_CLIENTID: <client-ID>
      CHE_OAUTH_OPENSHIFT_CLIENTSECRET: <openshift-secret>
      CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT: <oauth-endpoint>
      CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL: <verify-token-url>
      • <client-ID> a name specified in the OpenShift OAuthClient.

      • <openshift-secret> a secret specified in the OpenShift OAuthClient.

      • <oauth-endpoint> the URL of the OpenShift OAuth service:

        • For OpenShift 3 specify the OpenShift master URL.

        • For OpenShift 4 specify the oauth-openshift route.

      • <verify-token-url> request URL that is used to verify the token. <OpenShift master url>/api can be used for OpenShift 3 and 4.

      • See Advanced configuration options for the Che server component.

Additional resources

For additional information about singleuser and multiuser authentication mods, see the administration-guide:authenticating-users.adoc#authentication-mods_che chapter.