How to configure an HTPasswd identity provider in OpenShift 4?

Solution Verified - Updated -


  • Red Hat OpenShift Container Platform (RHOCP)
    • 4


  • How to configure an HTPasswd identity provider in OpenShift Container Platform 4?


Note: For OSD and ROSA clusters, please refer to How to use HTPasswd IdP on ROSA or OSD cluster.

Configuration for OpenShift Container Platform 4

  1. Create an HTPasswd file by installing the htpasswd utility by installing the httpd-tools package:

    # yum install httpd-tools
  2. Create or update an users.htpasswd file (note that the -c option will rewrite and truncate the file if already exists) with a user name and hashed password:

    $ htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>
  3. Create the HTPasswd Secret with the previously created users.htpasswd file:

    $ oc create secret generic htpass-secret --from-file=htpasswd=</path/to/users.htpasswd> -n openshift-config
  4. Create a custom resource for an HTPasswd identity provider:

    $ cat
    kind: OAuth
      name: cluster
      - name: my_htpasswd_provider
        challenge: true
        login: true
        mappingMethod: claim
        type: HTPasswd
            name: htpass-secret
  5. Apply the defined CR:

    $ oc apply -f </path/to/CR>
  6. Now login using newly created user:

    $ oc login -u <username>
  7. Confirm that the user logged in successfully, and display the user name:

    $ oc whoami

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.



Thanks for writing this.

I followed the same but when I try login from my bastion node, I get certificate error:

[root@bastion multitenancy]# oc login -u user1 -p HP1nvent The server uses a certificate signed by an unknown authority. You can bypass the certificate check, but any data you send to the server could be intercepted by others. Use insecure connections? (y/n):

I have to go insecure to login.

Any suggestion/KCS article I need to follow?


In the 2nd step/bullet, the item reads:

              Create or update your with a user name and hashed password:

When I read the sentence, up to the word "your", something is missing. My question is, "your" what? Your file? Your username? Your password? There's something that should follow "your", and it's not there.

Thanks for taking the time to read my comment. I look forward to your response.

Step 2 modified to clarify that a users.htpasswd file needs to be created/updated.