@@ -997,7 +997,7 @@ oauthConfig:
997
997
...
998
998
identityProviders:
999
999
- name: gitlab <1>
1000
- challenge: false <2>
1000
+ challenge: true <2>
1001
1001
login: true <3>
1002
1002
mappingMethod: claim <4>
1003
1003
provider:
@@ -1010,6 +1010,10 @@ oauthConfig:
1010
1010
----
1011
1011
<1> This provider name is prefixed to the GitLab numeric user ID to form an
1012
1012
identity name. It is also used to build the callback URL.
1013
+ <2> When *true*, unauthenticated token requests from non-web clients (like
1014
+ the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
1015
+ This uses the http://doc.gitlab.com/ce/api/oauth2.html#resource-owner-password-credentials[Resource Owner Password Credentials]
1016
+ grant flow to obtain an access token from GitLab.
1013
1017
<2> *GitLabIdentityProvider* cannot be used to send `WWW-Authenticate`
1014
1018
challenges.
1015
1019
<3> When *true*, unauthenticated token requests from web clients (like the web
@@ -1139,7 +1143,7 @@ oauthConfig:
1139
1143
...
1140
1144
identityProviders:
1141
1145
- name: my_openid_connect <1>
1142
- challenge: false <2>
1146
+ challenge: true <2>
1143
1147
login: true <3>
1144
1148
mappingMethod: claim <4>
1145
1149
provider:
@@ -1162,6 +1166,10 @@ oauthConfig:
1162
1166
----
1163
1167
<1> This provider name is prefixed to the value of the identity claim to form an
1164
1168
identity name. It is also used to build the redirect URL.
1169
+ <2> When *true*, unauthenticated token requests from non-web clients (like
1170
+ the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
1171
+ This requires the OpenID provider to support the
1172
+ https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials] grant flow.
1165
1173
<2> *OpenIDIdentityProvider* cannot be used to send `WWW-Authenticate`
1166
1174
challenges.
1167
1175
<3> When *true*, unauthenticated token requests from web clients (like the web
0 commit comments