diff --git a/install_config/configuring_authentication.adoc b/install_config/configuring_authentication.adoc
index b37af4eca8c2..7cd1ed88029f 100644
--- a/install_config/configuring_authentication.adoc
+++ b/install_config/configuring_authentication.adoc
@@ -991,7 +991,7 @@ oauthConfig:
   ...
   identityProviders:
   - name: gitlab <1>
-    challenge: false <2>
+    challenge: true <2>
     login: true <3>
     mappingMethod: claim <4>
     provider:
@@ -1004,6 +1004,10 @@ oauthConfig:
 ----
 <1> This provider name is prefixed to the GitLab numeric user ID to form an
 identity name. It is also used to build the callback URL.
+<2> When *true*, unauthenticated token requests from non-web clients (like
+the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
+This uses the http://doc.gitlab.com/ce/api/oauth2.html#resource-owner-password-credentials[Resource Owner Password Credentials]
+grant flow to obtain an access token from GitLab. 
 <2> *GitLabIdentityProvider* cannot be used to send `WWW-Authenticate`
 challenges.
 <3> When *true*, unauthenticated token requests from web clients (like the web
@@ -1133,7 +1137,7 @@ oauthConfig:
   ...
   identityProviders:
   - name: my_openid_connect <1>
-    challenge: false <2>
+    challenge: true <2>
     login: true <3>
     mappingMethod: claim <4>
     provider:
@@ -1156,6 +1160,10 @@ oauthConfig:
 ----
 <1> This provider name is prefixed to the value of the identity claim to form an
 identity name. It is also used to build the redirect URL.
+<2> When *true*, unauthenticated token requests from non-web clients (like
+the CLI) are sent a `WWW-Authenticate` challenge header for this provider.
+This requires the OpenID provider to support the 
+https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials] grant flow.
 <2> *OpenIDIdentityProvider* cannot be used to send `WWW-Authenticate`
 challenges.
 <3> When *true*, unauthenticated token requests from web clients (like the web