From 42d31a70854a4d05bb98c19f42b0f9b1ca1535d4 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 19 Aug 2021 09:59:47 -0700 Subject: [PATCH] Update login.md doc to mention OIDC CLI-based flow --- site/content/docs/howto/login.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/site/content/docs/howto/login.md b/site/content/docs/howto/login.md index 6420023d..edc3329a 100644 --- a/site/content/docs/howto/login.md +++ b/site/content/docs/howto/login.md @@ -93,15 +93,18 @@ to authenticate the user to the cluster. If the Pinniped Supervisor is used for authentication to that cluster, then the user's authentication experience will depend on which type of identity provider was configured. -- For an OIDC identity provider, `kubectl` will open the user's web browser and direct it to the login page of +- For an OIDC identity provider, there are two supported client flows. + + When using the default browser-based flow, `kubectl` will open the user's web browser and direct it to the login page of their OIDC Provider. This login flow is controlled by the provider, so it may include two-factor authentication or - other features provided by the OIDC Provider. - - If the user's browser is not available, then `kubectl` will instead print a URL which can be visited in a - browser (potentially on a different computer) to complete the authentication. + other features provided by the OIDC Provider. If the user's browser is not available, then `kubectl` will instead + print a URL which can be visited in a browser (potentially on a different computer) to complete the authentication. + + When using the optional CLI-based flow, `kubectl` will interactively prompt the user for their username and password at the CLI. + Alternatively, the user can set the environment variables `PINNIPED_USERNAME` and `PINNIPED_PASSWORD` for the + `kubectl` process to avoid the interactive prompts. - For an LDAP identity provider, `kubectl` will interactively prompt the user for their username and password at the CLI. - Alternatively, the user can set the environment variables `PINNIPED_USERNAME` and `PINNIPED_PASSWORD` for the `kubectl` process to avoid the interactive prompts.