It is typically used in combination with an authenticating proxy, which sets the request header value.
This is similar to how the remote user plug-in in Open Shift Enterprise 2 allowed administrators to provide Kerberos, LDAP, and many other forms of enterprise authentication.
Using this method requires you to manually provision users.
uid" (13) stanza to validate user names and passwords against a remote server using a server-to-server Basic authentication request.
User names and passwords are validated against a remote URL that is protected by Basic authentication and returns JSON. identity Providers: - name: my_remote_basic_auth_provider (1) challenge: true (2) login: true (3) mapping Method: claim (4) provider: api Version: v1 kind: Basic Auth Password Identity Provider url: https:// (5) ca: /path/to/(6) cert File: /path/to/(7) key File: /path/to/(8).
See the CN and X509v3 # Subject Alternative Name in the output of: # openssl x509 -text -in /etc/pki/tls/certs/Server Name Root /var/www/html SSLEngine on SSLCertificate File /etc/pki/tls/certs/SSLCertificate Key File /etc/pki/tls/private/SSLCACertificate File /etc/pki/CA/certs/SSLProxy Engine on SSLProxy CACertificate File /etc/pki/CA/certs/# It's critical to enforce client certificates on the Master.
Otherwise # requests could spoof the X-Remote-User header by accessing the Master's # /oauth/authorize endpoint directly.If no attributes are provided, the default is to use oauth Config: ...