djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update login.md doc to mention OIDC CLI-based flow

Browse Source
This commit is contained in:
Ryan Richard 2021-08-19 09:59:47 -07:00
parent 61c21d2977
commit 42d31a7085
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
site/content/docs/howto/login.md
View File

@ -93,15 +93,18 @@ to authenticate the user to the cluster.
If the Pinniped Supervisor is used for authentication to that cluster, then the user's authentication experience If the Pinniped Supervisor is used for authentication to that cluster, then the user's authentication experience
will depend on which type of identity provider was configured. will depend on which type of identity provider was configured.
- For an OIDC identity provider, `kubectl` will open the user's web browser and direct it to the login page of - For an OIDC identity provider, there are two supported client flows.
When using the default browser-based flow, `kubectl` will open the user's web browser and direct it to the login page of
their OIDC Provider. This login flow is controlled by the provider, so it may include two-factor authentication or their OIDC Provider. This login flow is controlled by the provider, so it may include two-factor authentication or
other features provided by the OIDC Provider. other features provided by the OIDC Provider. If the user's browser is not available, then `kubectl` will instead
print a URL which can be visited in a browser (potentially on a different computer) to complete the authentication.
If the user's browser is not available, then `kubectl` will instead print a URL which can be visited in a
browser (potentially on a different computer) to complete the authentication. When using the optional CLI-based flow, `kubectl` will interactively prompt the user for their username and password at the CLI.
Alternatively, the user can set the environment variables `PINNIPED_USERNAME` and `PINNIPED_PASSWORD` for the
`kubectl` process to avoid the interactive prompts.
- For an LDAP identity provider, `kubectl` will interactively prompt the user for their username and password at the CLI. - For an LDAP identity provider, `kubectl` will interactively prompt the user for their username and password at the CLI.
Alternatively, the user can set the environment variables `PINNIPED_USERNAME` and `PINNIPED_PASSWORD` for the Alternatively, the user can set the environment variables `PINNIPED_USERNAME` and `PINNIPED_PASSWORD` for the
`kubectl` process to avoid the interactive prompts. `kubectl` process to avoid the interactive prompts.