Skip to content

Commit 098183f

Browse files
authored
Merge pull request #2016 from liggitt/oidc-password
OpenID/GitLab challenge options
2 parents 6121e57 + 4b40919 commit 098183f

File tree

1 file changed

+10
-2
lines changed

1 file changed

+10
-2
lines changed

install_config/configuring_authentication.adoc

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -997,7 +997,7 @@ oauthConfig:
997997
...
998998
identityProviders:
999999
- name: gitlab <1>
1000-
challenge: false <2>
1000+
challenge: true <2>
10011001
login: true <3>
10021002
mappingMethod: claim <4>
10031003
provider:
@@ -1010,6 +1010,10 @@ oauthConfig:
10101010
----
10111011
<1> This provider name is prefixed to the GitLab numeric user ID to form an
10121012
identity name. It is also used to build the callback URL.
1013+
<2> When *true*, unauthenticated token requests from non-web clients (like
1014+
the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
1015+
This uses the http://doc.gitlab.com/ce/api/oauth2.html#resource-owner-password-credentials[Resource Owner Password Credentials]
1016+
grant flow to obtain an access token from GitLab.
10131017
<2> *GitLabIdentityProvider* cannot be used to send `WWW-Authenticate`
10141018
challenges.
10151019
<3> When *true*, unauthenticated token requests from web clients (like the web
@@ -1139,7 +1143,7 @@ oauthConfig:
11391143
...
11401144
identityProviders:
11411145
- name: my_openid_connect <1>
1142-
challenge: false <2>
1146+
challenge: true <2>
11431147
login: true <3>
11441148
mappingMethod: claim <4>
11451149
provider:
@@ -1162,6 +1166,10 @@ oauthConfig:
11621166
----
11631167
<1> This provider name is prefixed to the value of the identity claim to form an
11641168
identity name. It is also used to build the redirect URL.
1169+
<2> When *true*, unauthenticated token requests from non-web clients (like
1170+
the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
1171+
This requires the OpenID provider to support the
1172+
https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials] grant flow.
11651173
<2> *OpenIDIdentityProvider* cannot be used to send `WWW-Authenticate`
11661174
challenges.
11671175
<3> When *true*, unauthenticated token requests from web clients (like the web

0 commit comments

Comments
 (0)