OpenShift - Create htpasswd OAuth Identity Provider

If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

OpenShift can be configured with the following identity providers.

  • GitHub
  • htpasswd (flat file with a users username and password)
  • keystone
  • kubeadmin (default administrator user ID)
  • LDAP
  • OpenID Connect

To setup OpenShift with an htpasswd Identity Provider, you must first create the htpasswd file and then create a secret that contains the htpasswd file (such as htpasswd-secret) in the openshift-config namespace. 


The htpasswd secret must be created in the openshift-config namespace.

oc create secret generic htpasswd-secret --from-file=htpasswd=/path/to/your/htpasswd/file --namespace openshift-config


You will then update the OAuth YAML with htpasswd. For example, you could use the oc edit command to edit the OAuth YAML.

oc edit oauth


Here is an example of what you would have in the OAuth YAML file.


The value of must be an exact match of the name of your htpasswd secret.

This must be done by a user that has the cluster-admin role. The oc describe clusterrolebinding command can be used to list the users and groups that have the cluster-admin role.

kind: OAuth
  name: cluster
  - htpasswd:
        name: htpasswd-secret
    mappingMethod: claim 
    name: htpasswd
    type: HTPasswd


In the openshift-authentication namespace, there should be a "cliconfig" config map that contains the enabled authentication methods.

~]$ oc get configmaps --namespace openshift-authentication
NAME                                   DATA   AGE
kube-root-ca.crt                       1      161d
openshift-service-ca.crt               1      161d
v4-0-config-system-cliconfig           1      355d
v4-0-config-system-metadata            1      355d
v4-0-config-system-service-ca          1      355d
v4-0-config-system-trusted-ca-bundle   1      355d


After the OAuth YAML has been updated with htpasswd, the "cliconfig" config map should contain htpasswd.

~]$ oc get configmap v4-0-config-system-cliconfig --namespace openshift-authentication --output json
    "data": {
        "v4-0-config-system-cliconfig": {
                "challenge": true,
                "login": true,
                "mappingMethod": "claim",
                "name": "htpasswd_provider",
                "provider": {
                    "apiVersion": "",
                    "file": "/var/config/user/idp/1/secret/v4-0-config-user-idp-1-file-data/htpasswd",
                    "kind": "HTPasswdPasswordIdentityProvider"


Let's say your htpasswd file contains a user named john.doe. If john.doe has not logged into OpenShift at least once, the oc get users command should return not found

~]$ oc get users john.doe
Error from server (NotFound): "john.doe" not found


John Doe will need to log into OpenShift.

~]$ oc login -u john.doe
Authentication required for (openshift)
Username: john.doe
Login successful.


And now the oc get users command should return john.doe.

~]$ oc get users john.doe
NAME       UID                                    FULL NAME   IDENTITIES
john.doe   127a869c-342a-4ea4-9f8e-9945276dc842               htpasswd_provider:john.doe


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter aac05 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |