Merge pull request #2016 from liggitt/oidc-password

adellape · web-flow · commit 098183f7d292 · 2016-06-09T17:47:42.000-04:00
OpenID/GitLab challenge options
diff --git a/install_config/configuring_authentication.adoc b/install_config/configuring_authentication.adoc
@@ -997,7 +997,7 @@ oauthConfig:
   ...
   identityProviders:
   - name: gitlab <1>
-    challenge: false <2>
+    challenge: true <2>
     login: true <3>
     mappingMethod: claim <4>
     provider:
@@ -1010,6 +1010,10 @@ oauthConfig:
 ----
 <1> This provider name is prefixed to the GitLab numeric user ID to form an
 identity name. It is also used to build the callback URL.
+<2> When *true*, unauthenticated token requests from non-web clients (like
+the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
+This uses the http://doc.gitlab.com/ce/api/oauth2.html#resource-owner-password-credentials[Resource Owner Password Credentials]
+grant flow to obtain an access token from GitLab. 
 <2> *GitLabIdentityProvider* cannot be used to send `WWW-Authenticate`
 challenges.
 <3> When *true*, unauthenticated token requests from web clients (like the web
@@ -1139,7 +1143,7 @@ oauthConfig:
   ...
   identityProviders:
   - name: my_openid_connect <1>
-    challenge: false <2>
+    challenge: true <2>
     login: true <3>
     mappingMethod: claim <4>
     provider:
@@ -1162,6 +1166,10 @@ oauthConfig:
 ----
 <1> This provider name is prefixed to the value of the identity claim to form an
 identity name. It is also used to build the redirect URL.
+<2> When *true*, unauthenticated token requests from non-web clients (like
+the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
+This requires the OpenID provider to support the 
+https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials] grant flow.
 <2> *OpenIDIdentityProvider* cannot be used to send `WWW-Authenticate`
 challenges.
 <3> When *true*, unauthenticated token requests from web clients (like the web
