Document URL: https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-request-header-identity-provider.html#configuring-request-header-identity-provider Section Number and Name: "About request header authentication" Describe the issue / Suggestions for improvement: When using "Request Header" authentication provider in Openshift 4.x mutual TLS (mTLS) is required between the authentication proxy and Openshift's oauth server. This requirement was not enforced in OpenShift 3.x. If someone had setup Request Header without mTLS in OpenShift 3.x it will not work when they move to OpenShift 4.x. This needs to be clearly stated in the documentation. Additional information: Although the document does say: """If you expect unauthenticated requests to reach the OAuth server, a clientCA parameter MUST be set for this identity provider, so that incoming requests are checked for a valid client certificate before the request’s headers are checked for a user name. Otherwise, any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.""" However its the same in OpenShift 3.x and 4.x. Anyone moving from 3.x to 4.x will have no clue from the documentation that anything has changed. We need clearly mention that this rule is now enforced and that Request Header based authentication will not work without mTLS.
*** Bug 1730080 has been marked as a duplicate of this bug. ***
Submitted PR: https://github.com/openshift/openshift-docs/pull/15997
Hi @Chuan Yu, can you please review this? PR is here [1] and preview is here [2]. Thanks! [1] https://github.com/openshift/openshift-docs/pull/15997 [2] https://bz-1730609--ocpdocs.netlify.com/openshift-enterprise/latest/authentication/identity_providers/configuring-request-header-identity-provider.html#identity-provider-about-request-header_configuring-request-header-identity-provider
The changes lgtm.
PR has been merged. Moving to RELEASE_PENDING.
Changes are live: docs.openshift.com * https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-request-header-identity-provider.html#identity-provider-about-request-header_configuring-request-header-identity-provider * https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-request-header-identity-provider.html#identity-provider-request-header-CR_configuring-request-header-identity-provider Customer Portal * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.1/html-single/authentication/index#identity-provider-about-request-header_configuring-request-header-identity-provider * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.1/html-single/authentication/index#identity-provider-request-header-CR_configuring-request-header-identity-provider