The OAuth Server is the authentication gateway for OpenShift clusters. It handles user authentication via configurable identity providers and issues OAuth 2.0 access tokens for cluster API access.
The OAuth Server runs as the oauth-openshift deployment in the openshift-authentication namespace and is managed by the cluster-authentication-operator.
Documentation: See ARCHITECTURE.md for comprehensive architecture details including features, components, and design decisions
View OAuth server in a cluster:
oc get deployment oauth-openshift -n openshift-authentication
oc get pods -n openshift-authentication -l app=oauth-openshift
oc logs -n openshift-authentication -l app=oauth-openshift -c oauth-openshift
oc get oauth cluster -o yamlBuild locally:
make buildFor development setup, build commands, testing, and project structure, see CONTRIBUTING.md - Development Setup.
The OAuth server is deployed as oauth-openshift in the openshift-authentication namespace and is managed by the cluster-authentication-operator. Do not deploy manually in production clusters.
For complete deployment details including replicas, volumes, dependencies, and configuration, see ARCHITECTURE.md - Deployment Architecture.
The OAuth server is a security-critical component:
- Follow OAuth 2.0 security best practices (RFC 6749 Section 10)
- Never log passwords, tokens, or session cookies
- Never bypass TLS validation or skip authentication checks
- For security issues, follow the OpenShift Security Response Process
For detailed security architecture, see ARCHITECTURE.md - Security Architecture.
Note: External OIDC support is available; when enabled, this OAuth server is disabled and the cluster uses an external OIDC provider. See ARCHITECTURE.md - External OIDC for details.
See CONTRIBUTING.md for code conventions, testing guidelines, and pull request process.
- OpenShift Authentication Documentation: https://docs.openshift.com/container-platform/latest/authentication/
- OAuth 2.0 RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749
- OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html
For issues and questions:
- Red Hat Employees: Post in #forum-ocp-apiserver Slack channel
- Bug Reports: File a Jira ticket in the CNTRLPLANE project
- Feature Requests: File an RFE (Request for Enhancement) in Jira; approved RFEs may require an OpenShift Enhancement Proposal
- Security Issues: Follow the OpenShift Security Response Process
This project is licensed under the Apache License 2.0. See the LICENSE file for details.