Hi, I've played with oauth-proxy [1] on my local OpenShift cluster (eg oc cluster up). The first thing I've tried was the sidecar example [2] in the contrib directory but to make it work, I had to tweak the CLI arguments of the proxy. In practice, I've added the following options:
--redeem-url=https://openshift.default.svc/oauth/token --validate-url= https://openshift.default.svc/apis/user.openshift.io/v1/users/~ --openshift-review-url= https://openshift.default.svc/apis/authorization.openshift.io/v1/subjectaccessreviews (the last one is only required to use openshift-sar) <https://mojo.redhat.com/external-link.jspa?url=https%3A%2F%2Fopenshift.default.svc%2Fapis%2Fauthorization.openshift.io%2Fv1%2Fsubjectaccessreviews> Without these changes, the oauth proxy couldn't authenticate clients because there is a discrepancy between the OAuth endpoints exposed by the Openshift API and the public certificate (see oauth logs at [3]). <https://mojo.redhat.com/external-link.jspa?url=https%3A%2F%2Fopenshift.default.svc%2Fapis%2Fauthorization.openshift.io%2Fv1%2Fsubjectaccessreviews> Is that expected? Did I miss some documentation? Thanks! Simon [1] https://github.com/openshift/oauth-proxy [2] https://github.com/openshift/oauth-proxy/blob/master/contrib/sidecar.yaml [3] https://pastebin.com/Fk1h1a7v
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
