The Authentication Operator

The OKD cluster provides the Authentication operator, which runs an OAuth server. The OAuth server provides OAuth access tokens to users when they attempt to authenticate to the API. An identity provider must be configured and available to the OAuth server.

The OKD cluster master includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.

The OAuth server uses an identity provider to validate the identity of the requester. The server reconciles the user with the identity and creates the OAuth access token that is then granted to the user. Identity and user resources are created automatically upon logging in.

When a person requests a new OAuth token, the OAuth server uses the configured identity provider to determine the identity of the person making the request.

It then determines what user that identity maps to, creates an access token for that user, and returns the token for use.

OAuth token requests
OAuth client Usage
openshift-browser-client Requests tokens at /oauth/token/request with a user-agent that can handle interactive logins
openshift-challenging-client Requests tokens with a user-agent that can handle WWW-Authenticate challenges.