Section Number and Name:
"About request header authentication"
Describe the issue / Suggestions for improvement:
When using "Request Header" authentication provider in Openshift 4.x mutual TLS (mTLS)
is required between the authentication proxy and Openshift's oauth server.
This requirement was not enforced in OpenShift 3.x.
If someone had setup Request Header without mTLS in OpenShift 3.x it will not work when
they move to OpenShift 4.x. This needs to be clearly stated in the documentation.
Although the document does say:
"""If you expect unauthenticated requests to reach the OAuth server, a clientCA parameter
MUST be set for this identity provider, so that incoming requests are checked for a valid
client certificate before the request’s headers are checked for a user name. Otherwise,
any direct request to the OAuth server can impersonate any identity from this provider,
merely by setting a request header."""
However its the same in OpenShift 3.x and 4.x. Anyone moving from 3.x to 4.x will have no
clue from the documentation that anything has changed.
We need clearly mention that this rule is now enforced and that Request Header based
authentication will not work without mTLS.
*** Bug 1730080 has been marked as a duplicate of this bug. ***
Submitted PR: https://github.com/openshift/openshift-docs/pull/15997
Hi @Chuan Yu, can you please review this? PR is here  and preview is here . Thanks!
The changes lgtm.
PR has been merged. Moving to RELEASE_PENDING.
Changes are live: