Configuring OpenShift OAuth

For users to interact with OpenShift, they must first authenticate to the OpenShift cluster. OpenShift OAuth is a process in which users prove themselves to a cluster through an API with obtained OAuth access tokens.

Authentication with the OpenShift Connector overview is a possible way for Che users to authenticate with an OpenShift cluster.

The following section describes the OpenShift OAuth configuration options and its use with a Che.

  • OpenShift OAuth will be enabled by default, deploy Che using OperatorHub or the chectl, see the chectl server:deploy specification chapter.

  • For Che deployed in single-user mode:

    1. Register Che OAuth client in OpenShift. See the Register an OAuth client in OpenShift chapter.

      $ oc create -f <(echo '
      kind: OAuthClient
       name: che
      secret: "<random set of symbols>"
       - "<Che api url>/oauth/callback"
      grantMethod: prompt
    2. Add the OpenShift TLS certificate to the Che Java trust store.

    3. Update the OpenShift deployment configuration.

      CHE_OAUTH_OPENSHIFT_CLIENTSECRET: <openshift-secret>
      CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL: <verify-token-url>
      • <client-ID> a name specified in the OpenShift OAuthClient.

      • <openshift-secret> a secret specified in the OpenShift OAuthClient.

      • <oauth-endpoint> the URL of the OpenShift OAuth service:

        • For OpenShift 3 specify the OpenShift master URL.

        • For OpenShift 4 specify the oauth-openshift route.

      • <verify-token-url> request URL that is used to verify the token. <OpenShift master url>/api can be used for OpenShift 3 and 4.

      • See Advanced configuration options for the Che server component.

Additional resources