Google Git
Sign in
eclipse / www.eclipse.org / che / d27350e54fe3198af7eeaa9aee48a0f2787d82c7 / . / docs / che-7 / administration-guide / authenticating-users / index.html
blob: 65c9a287ed8c688afe1b53578dcb632721741581 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>Authenticating users :: Eclipse Che Documentation</title>
<link rel="canonical" href="https://www.eclipse.org/che/docs/che-7/administration-guide/authenticating-users/">
<meta name="keywords" content="administration-guide, authenticating-users">
<meta name="generator" content="Antora 2.3.3">
<link rel="stylesheet" href="../../../_/css/site.css">
<link rel="stylesheet" href="../../../_/css/extra.css">
<link rel="stylesheet" href="../../../_/font-awesome-4.7.0/css/font-awesome.min.css">
<link rel="icon" href="../../../favicon.ico" type="image/x-icon">
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-37306001-2"></script>
<script>function gtag(){dataLayer.push(arguments)};window.dataLayer=window.dataLayer||[];gtag('js',new Date());gtag('config','UA-37306001-2')</script>
</head>
<body class="article">
<header class="header" role="banner">
<nav class="navbar">
<div class="navbar-brand">
<div class="navbar-item">
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
<img src="../../../_/img/icon-eclipse-che.svg" class="navbar-logo" alt="Eclipse Che logo">
<a href="https://www.eclipse.org/che/docs">Eclipse Che Documentation</a>
</div>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item hide-for-print">
<script async src="https://cse.google.com/cse.js?cx=002898025167115630151:gnr5edrg2eo"></script>
<div class="gcse-searchbox" enableAutoComplete="true"></div>
</div>
<a class="navbar-item" href="#">Home</a>
<a class="navbar-item" href="https://che.eclipse.org/">Blog</a>
<a class="navbar-item" href="https://github.com/eclipse/che">Source Code</a>
</div>
</div>
</nav>
<div class="gcse-searchresults"></div>
</header>
<div class="body">
<div class="nav-container" data-component="che-7" data-version="master">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<h3 class="title"><a href="../../overview/introduction-to-eclipse-che/">Eclipse Che 7 Documentation</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../overview/introduction-to-eclipse-che/">Introduction to Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../overview/che-architecture/">Che architecture</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../hosted-che/hosted-che/">Hosted Che</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">End-user Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/navigating-che/">Navigating Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/navigating-che-using-the-dashboard/">Navigating Che: dashboard</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/importing-certificates-to-browsers/">Importing certificates to browsers</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/accessing-che-from-openshift-developer-perspective/">Navigating Che from OpenShift Developer Perspective</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/che-theia-ide-basics/">Che-Theia IDE basics</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/defining-custom-commands-for-che-theia/">Defining custom commands for Che-Theia</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/version-control/">Version Control</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/che-theia-troubleshooting/">Che-Theia Troubleshooting</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/workspaces-overview/">Using developer workspaces</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/configuring-a-workspace-using-a-devfile/">Configuring a workspace using a devfile</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/making-a-workspace-portable-using-a-devfile/">Making a workspace portable using a devfile</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-and-configuring-a-new-workspace/">Creating and configuring a new workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/importing-a-kubernetes-application-into-a-workspace/">Importing a Kubernetes application into a workspace</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/remotely-accessing-workspaces/">Remotely accessing workspaces</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-a-workspace-from-code-sample/">Creating a workspace from code sample</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/creating-a-workspace-by-importing-source-code-of-a-project/">Creating a workspace by importing source code of a project</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/mounting-a-secret-as-a-file-or-an-environment-variable-into-a-workspace-container/">Mounting a secret as a file or an environment variable into a workspace container</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/customizing-developer-environments/">Customizing developer environments</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/what-is-a-che-theia-plug-in/">What is a Che-Theia plug-in</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-alternative-ides-in-che/">Using alternative IDEs in Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/adding-tools-to-che-after-creating-a-workspace/">Adding tools to Che after creating a workspace</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/configuring-oauth-authorization/">Configuring OAuth authorization</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/configuring-github-oauth/">Configuring GitHub OAuth</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/configuring-openshift-oauth/">Configuring OpenShift OAuth</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/using-artifact-repositories-in-a-restricted-environment/">Using artifact repositories in a restricted environment</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-maven-artifact-repositories/">Using Maven artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-gradle-artifact-repositories/">Using Gradle artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-python-artifact-repositories/">Using Python artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-go-artifact-repositories/">Using Go artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-nuget-artifact-repositories/">Using NuGet artifact repositories</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/using-npm-artifact-repositories/">Using npm artifact repositories</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../end-user-guide/troubleshooting-che/">Troubleshooting Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/troubleshooting-slow-workspaces/">Troubleshooting slow workspaces</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/troubleshooting-network-problems/">Troubleshooting network problems</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/starting-a-che-workspace-in-debug-mode/">Starting a workspace in debug mode</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../end-user-guide/restarting-a-che-workspace-in-debug-mode-after-start-failure/">Restarting a workspace in debug mode after start failure</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Installation Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../installation-guide/supported-platforms/">Supported platforms</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../installation-guide/configuring-the-che-installation/">Configuring the Che installation</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/installing-che/">Installing Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/installing-che-in-cloud/">Installing Che in cloud</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-openshift-4-using-operatorhub/">Installing Che on OpenShift 4</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-openshift-3-using-the-operator/">Installing Che on OpenShift 3</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-kubespray/">Installing Che on Kubespray</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-aws/">Installing Che on AWS</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-google-cloud-platform/">Installing Che on Google Cloud</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-microsoft-azure/">Installing Che on Microsoft Azure</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/installing-che-locally/">Installing Che locally</a>
<ul class="nav-list">
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-codeready-containers/">Installing Che on CodeReady Containers</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-docker-desktop/">Installing Che on Docker Desktop</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-minikube/">Installing Che on Minikube</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-minishift/">Installing Che on Minishift</a>
</li>
<li class="nav-item" data-depth="3">
<a class="nav-link" href="../../installation-guide/installing-che-on-kind/">Installing Che on Kind</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/using-the-chectl-management-tool/">Using the chectl management tool</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/installing-che-in-a-restricted-environment/">Installing Che in restricted environment</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/advanced-configuration/">Advanced configuration</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/advanced-configuration-options-for-the-che-server-component/">Advanced configuration options for Che server</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-namespace-strategies/">Configuring namespace strategies</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-workspace-exposure-strategies/">Configuring workspace exposure strategies</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-workspaces-nodeselector/">Configuring workspaces nodeSelector</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-che-hostname/">Configuring Che hostname</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/deploying-che-with-support-for-git-repositories-with-self-signed-certificates/">Deploying Che with support for Git repositories with self-signed certificates</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/installing-che-using-storage-classes/">Installing Che using storage classes</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/configuring-storage-types/">Configuring storage types</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/importing-tls-certificates-to-che-server-java-truststore/">Importing TLS certificates to Che server Java truststore</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/upgrading-che/">Upgrading Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/upgrading-che-using-operatorhub/">Upgrading Che using OperatorHub</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/upgrading-che-using-the-cli-management-tool/">Upgrading Che using the CLI management tool</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../installation-guide/uninstalling-che/">Uninstalling Che</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/uninstalling-che-after-operatorhub-installation-using-openshift-web-console/">Using the OpenShift web console</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/uninstalling-che-after-operatorhub-installation-using-openshift-cli/">Using OpenShift CLI</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../installation-guide/uninstalling-che-after-chectl-installation/">Using chectl</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Administration Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../che-architecture-overview/">Che architecture</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../che-workspace-controller/">Che workspace controller</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../che-workspaces-architecture/">Che workspaces architecture</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../calculating-che-resource-requirements/">Calculating Che resource requirements</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../customizing-the-devfile-and-plug-in-registries/">Customizing devfile and plug-in registries</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../building-and-running-a-custom-registry-image/">Building and running a custom registry image</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../including-the-plug-in-binaries-in-the-registry-image/">Including the plug-in binaries in the registry image</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../editing-a-devfile-and-plug-in-at-runtime/">Editing a devfile and plug-in at runtime</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../using-a-visual-studio-code-extension-in-che/">Using a VS Code extension in Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../testing-a-visual-studio-code-extension-in-che/">Testing a VS Code extension in Che</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../retrieving-che-logs/">Retrieving Che logs</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-kubernetes-events/">Accessing Kubernetes events on OpenShift</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-operator-events/">Viewing the Operator events on OpenShift</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-che-server-logs/">Viewing Che server logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-external-service-logs/">Viewing external service logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-che-workspaces-logs/">Viewing Che workspaces logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../viewing-plug-in-broker-logs/">Viewing Plug-in broker logs</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../collecting-logs-using-chectl/">Collecting logs using chectl</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../monitoring-che/">Monitoring Che</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../tracing-che/">Tracing Che</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../managing-users/">Managing users</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../configuring-authorization/">Configuring authorization</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../removing-user-data/">Removing user data</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../securing-che/">Securing Che</a>
<ul class="nav-list">
<li class="nav-item is-current-page" data-depth="2">
<a class="nav-link" href="./">Authenticating users</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../authorizing-users/">Authorizing users</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../backup-and-disaster-recovery/">Backup and disaster recovery</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../external-database-setup/">External database setup</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../persistent-volumes-backups/">Persistent Volumes backups</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../caching-images-for-faster-workspace-start/">Caching images for faster workspace start</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Contributor Guide</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/branding-che-theia/">Branding Che-Theia</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/developing-che-theia-plug-ins/">Developing Che-Theia plug-ins</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/testing-che-theia-plug-ins/">Testing Che-Theia plug-ins</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/publishing-che-theia-plug-ins/">Publishing Che-Theia plug-ins</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/adding-support-for-a-new-language/">Adding support for a new language</a>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../contributor-guide/adding-support-for-a-new-debugger/">Adding support for a new debugger</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../contributor-guide/che-extensibility-reference/">Che extensibility reference</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/che-extension-points/">Che extension points</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/che-theia-plug-in-api/">Che-Theia plug-in API</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/debug-adapter-protocol/">Debug Adapter Protocol</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../contributor-guide/language-server-protocol/">Language Server Protocol</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<button class="nav-item-toggle"></button>
<span class="nav-text">Extensions</span>
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../extensions/eclipse-che4z/">Eclipse Che4z</a>
</li>
<li class="nav-item" data-depth="1">
<button class="nav-item-toggle"></button>
<a class="nav-link" href="../../extensions/openshift-connector-overview/">OpenShift Connector</a>
<ul class="nav-list">
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/features-of-openshift-connector/">Features of OpenShift Connector</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/installing-openshift-connector-in-che/">Installing OpenShift Connector in Eclipse Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/authenticating-with-openshift-connector-from-che/">Authenticating with OpenShift Connector from Eclipse Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/creating-components-with-openshift-connector-in-che/">Creating Components with OpenShift Connector in Eclipse Che</a>
</li>
<li class="nav-item" data-depth="2">
<a class="nav-link" href="../../extensions/connecting-source-code-from-github-to-a-openshift-component-using-openshift-connector/">Connecting source code from GitHub to a OpenShift Component</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../extensions/telemetry/">Telemetry</a>
</li>
</ul>
</li>
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item" data-depth="1">
<a class="nav-link" href="../../glossary/che-glossary/">Che glossary</a>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">Eclipse Che 7 Documentation</span>
<span class="version">Stable</span>
</div>
<ul class="components">
<li class="component">
<span class="title">devfile</span>
<ul class="versions">
<li class="version is-latest">
<a href="../../../devfile/">master</a>
</li>
</ul>
</li>
<li class="component is-current">
<span class="title">Eclipse Che 7 Documentation</span>
<ul class="versions">
<li class="version is-current is-latest">
<a href="../../overview/introduction-to-eclipse-che/">Stable</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<a href="../../overview/introduction-to-eclipse-che/" class="home-link"></a>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="../../overview/introduction-to-eclipse-che/">Eclipse Che 7 Documentation</a></li>
<li>Administration Guide</li>
<li><a href="../securing-che/">Securing Che</a></li>
<li><a href="./">Authenticating users</a></li>
</ul>
</nav>
<div class="edit-this-page"><a href="https://github.com/eclipse/che-docs/edit/master/modules/administration-guide/pages/authenticating-users.adoc">Edit this Page</a></div>
</div>
<div class="content">
<article class="doc">
<h1 class="page">Authenticating users</h1>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This document covers all aspects of user authentication in Eclipse&#160;Che, both on the Che server and in workspaces. This includes securing all REST API endpoints, WebSocket or JSON RPC connections, and some web resources.</p>
</div>
<div class="paragraph">
<p>All authentication types use the <a href="https://jwt.io/introduction/">JWT open standard</a> as a container for transferring user identity information. In addition, Che server authentication is based on the <a href="https://openid.net/connect/">OpenID Connect</a> protocol implementation, which is provided by default by <a href="https://www.keycloak.org/">Keycloak</a>.</p>
</div>
<div class="paragraph">
<p>Authentication in workspaces implies the issuance of self-signed per-workspace JWT tokens and their verification on a dedicated service based on <a href="https://github.com/eclipse/che-jwtproxy/">JWTProxy</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="authentication-modes_authenticating-users"><a class="anchor" href="#authentication-modes_authenticating-users"></a>Authentication modes</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Che supports multiuser and single-user mode.</p>
</div>
<div class="paragraph">
<div class="title">Single-user mode</div>
<p>Single-user mode requires no authentication and anyone can access all cluster resources. In single-user mode, the server performs all operations as the predefined user, regardless of who accesses the server. Therefore, this mode is suitable only for use in a private instance for testing product possibilities and configurations.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>H2 database is used.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Che deployed in single-user mode has no authentication and anyone who can access the URL of the Che deployment sees all workspaces and owns all resources. Because the deployment in this mode requires fewer containers, RAM and CPU requirements are lower. This mode is useful when the whole Che deployment is used by a single person or for lowering resources used. As the server does not authenticate, actions of multiple users logged in the same workspace can interfere with each other.</p>
</div>
<div class="paragraph">
<p>Use third-party services, such as HAproxy or NGINX, to secure Che in single-user mode.</p>
</div>
<div class="paragraph">
<div class="title">Multiuser mode</div>
<p>Multiuser mode is the default mode for Che. It requires user authentication and offers isolated workspaces and their resources. In multiuser mode, workspaces are used in the scope of registered users and workspace definitions, and devfiles of particular workspaces can be shared and reused between many users.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Keycloak is used to authenticate users.</p>
</li>
<li>
<p>PostgreSQL database is used.</p>
</li>
</ul>
</div>
<div class="sect2">
<h3 id="_changing_the_authentication_mode"><a class="anchor" href="#_changing_the_authentication_mode"></a>Changing the authentication mode</h3>
<div class="paragraph">
<p>This procedure describes how to change authentication mode for various deployment types.</p>
</div>
<div class="paragraph">
<div class="title">Procedure</div>
<p>Che deployed using the Che Operator defaults to multiuser mode. To change to sing-user mode:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Update the <code>CheCluster</code> Custom Resource (CR) to set the <code>CHE_MULTIUSER</code> property to <code>false</code>:</p>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-yaml hljs" data-lang="yaml">spec:
server:
customCheProperties:
CHE_MULTIUSER: "false"</code></pre>
</div>
</div>
</li>
</ol>
</div>
<div class="paragraph">
<p>Che deployed using the Helm installer defaults to single-user mode. To change to multiuser mode:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Set the <code>multiuser</code> Helm chart field to <code>true</code>:</p>
<div class="listingblock">
<div class="content">
<pre>$ helm upgrade --install che --force --namespace che --set global.cheDomain=<em>&lt;__<che-host>__&gt;</em> -f multi-user.yaml</pre>
</div>
</div>
</li>
</ol>
</div>
<div class="paragraph">
<p>Che deployed using the <code>chectl</code> command-line tool defaults to single-user mode. To change to multiuser mode:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Use the <code>--multiuser</code> (<code>-m</code>) option with the <code>chectl server:start</code> command:</p>
<div class="listingblock">
<div class="content">
<pre>$ chectl server:start --platfrom=minikube --installer=helm --multiuser</pre>
</div>
</div>
</li>
</ol>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="authenticating-to-the-che-server_authenticating-users"><a class="anchor" href="#authenticating-to-the-che-server_authenticating-users"></a>Authenticating to the Che server</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="authenticating-to-the-che-server-using-openid_authenticating-to-the-che-server"><a class="anchor" href="#authenticating-to-the-che-server-using-openid_authenticating-to-the-che-server"></a>Authenticating to the Che server using OpenID</h3>
<div class="paragraph">
<p>OpenID authentication on the Che server implies the presence of an external OpenID Connect provider and has the following main steps:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Authenticate the user through a JWT token that is retrieved from an HTTP request or, in case of a missing or invalid token, redirect the user to the Keycloak login page.</p>
</li>
<li>
<p>Send authentication tokens in an <strong>Authorization</strong> header. In limited cases, when it is impossible to use the <strong>Authorization</strong> header, the token can be sent in the token query parameter. Example: OAuth authentication initialization.</p>
</li>
<li>
<p>Compose an internal <code>subject</code> object that represents the current user inside the Che server code.</p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
The only supported and tested OpenID provider is Keycloak.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<div class="title">Procedure</div>
<p>To authenticate to the Che server using OpenID authentication:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Request the OpenID settings service where clients can find all the necessary URLs and properties of the OpenId provider, such as <code>jwks.endpoint</code>, <code>token.endpoint</code>, <code>logout.endpoint</code>, <code>realm.name</code>, or <code>client_id</code> returned in the JSON format.</p>
</li>
<li>
<p>The service URL is <code>+https+://<em><che-host></em>:<em><che-port></em>/api/keycloak/settings</code>, and it is only available in the Che multiuser mode. The presence of the service in the URL confirms that the authentication is enabled in the current deployment.</p>
<div class="paragraph">
<p>Example output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-json hljs" data-lang="json">{
"che.keycloak.token.endpoint": "http://172.19.20.9:5050/auth/realms/che/protocol/openid-connect/token",
"che.keycloak.profile.endpoint": "http://172.19.20.9:5050/auth/realms/che/account",
"che.keycloak.client_id": "che-public",
"che.keycloak.auth_server_url": "http://172.19.20.9:5050/auth",
"che.keycloak.password.endpoint": "http://172.19.20.9:5050/auth/realms/che/account/password",
"che.keycloak.logout.endpoint": "http://172.19.20.9:5050/auth/realms/che/protocol/openid-connect/logout",
"che.keycloak.realm": "che"
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>The service allows downloading the JavaScript client library to interact with the provider using the <code>+https+://<em><che-host></em>:<em><che-port></em>/api/keycloak/OIDCKeycloak.js</code> URL.</p>
</div>
</li>
<li>
<p>Redirect the user to the appropriate provider&#8217;s login page with all the necessary parameters, including <code>client_id</code> and the return redirection path. This can be done with any client library (JS or Java).</p>
</li>
<li>
<p>When the user is logged in to the provider, the client side-code is obtained, and the JWT token has validated the token, the creation of the <code>subject</code> begins.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>The verification of the token signature occurs in two main steps:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Authentication: The token is extracted from the <strong>Authorization</strong> header or from the <code>token</code> query parameter and is parsed using the public key retrieved from the provider. In case of expired, invalid, or malformed tokens, a <code>403</code> error is sent to the user. The minimal use of the query parameter is recommended, due to its support limitations or complete removal in upcoming versions.</p>
<div class="paragraph">
<p>If the validation is successful, the parsed form of the token is passed to the environment initialization step:</p>
</div>
</li>
<li>
<p>Environment initialization: The filter extracts data from the JWT token claims, creates the user in the local database if it is not yet available, and constructs the <code>subject</code> object and sets it into the per-request <strong>EnvironmentContext</strong> object, which is statically accessible everywhere.</p>
<div class="paragraph">
<p>If the request was made using only a JWT token, the following single authentication filter is used:</p>
</div>
<div class="paragraph">
<p><strong>org.eclipse.che.multiuser.machine.authentication.server.MachineLoginFilter</strong>: The filter finds the user that the <code>userId</code> token belongs to, retrieves the user instance, and sets the principal to the session. The Che server-to-server requests are performed using a dedicated request factory that signs every request with the current subject token obtained from the <code>EnvironmentContext</code> object.</p>
</div>
</li>
</ol>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<div class="title">Providing user-specific data</div>
<p>Since Keycloak may store user-specific information (first and last name, phone number, job title), there is a special implementation of the <strong>ProfileDao</strong> that can provide this data to consumers. The implementation is read-only, so users cannot perform create and update operations.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="sect3">
<h4 id="obtaining-the-token-from-keycloak_authenticating-to-the-che-server"><a class="anchor" href="#obtaining-the-token-from-keycloak_authenticating-to-the-che-server"></a>Obtaining the token from credentials through Keycloak</h4>
<div class="paragraph">
<p>Clients that cannot run JavaScript or other clients (such as command-line clients or Selenium tests) must request the authorization token directly from Keycloak.</p>
</div>
<div class="paragraph">
<p>To obtain the token, send a request to the token endpoint with the username and password credentials. This request can be schematically described as the following cURL request:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>$ curl --insecure --data "grant_type=password&amp;client_id=che-public&amp;username=<em>&lt;USERNAME&gt;</em>&amp;password=<em>&lt;PASSWORD&gt;</em>" \ <i class="conum" data-value="1"></i><b>(1)</b> <i class="conum" data-value="2"></i><b>(2)</b>
https://&lt;keyckloak_host&gt;/auth/realms/che/protocol/openid-connect/token <i class="conum" data-value="3"></i><b>(3)</b></pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>Eclipse&#160;Che username</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td>Eclipse&#160;Che user&#8217;s password</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>Keycloak host</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>The Che dashboard uses a customized Keycloak login page and an authentication mechanism based on <code>grant_type=authorization_code</code>. It is a two-step authentication process:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Logging in and obtaining the authorization code.</p>
</li>
<li>
<p>Obtaining the token using this authorization code.</p>
</li>
</ol>
</div>
</div>
<div class="sect3">
<h4 id="obtaining-the-token-from-openshift-token-through-keycloak_authenticating-to-the-che-server"><a class="anchor" href="#obtaining-the-token-from-openshift-token-through-keycloak_authenticating-to-the-che-server"></a>Obtaining the token from the OpenShift token through Keycloak</h4>
<div class="paragraph">
<p>When Che was installed on OpenShift using the Operator, and the OpenShift OAuth integration is enabled, as it is by default,
the user&#8217;s Che authentication token can be retrieved from the user&#8217;s OpenShift token.</p>
</div>
<div class="paragraph">
<p>To retrieve the authentication token from the OpenShift token, send a schematically described cURL request to the OpenShift token endpoint:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>$ curl --insecure -X POST \
-d "client_id=che-public" \
-d "subject_token=<em>&lt;USER_OPENSHIFT_TOKEN&gt;</em>" \ <i class="conum" data-value="1"></i><b>(1)</b>
-d "subject_issuer=<em>&lt;OPENSHIFT_IDENTITY_PROVIDER_NAME&gt;</em>" \ <i class="conum" data-value="2"></i><b>(2)</b>
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
--data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
https://<em>&lt;KEYCKLOAK_HOST&gt;</em>/auth/realms/che/protocol/openid-connect/token <i class="conum" data-value="3"></i><b>(3)</b></pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>The token retrieved by the end-user with the command <code>oc whoami --show-token</code></td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td><code>openshift-v4</code> for OpenShift 4.x and <code>openshift-v3</code> for OpenShift 3.11</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>Keycloak host</td>
</tr>
</table>
</div>
<div class="admonitionblock warning">
<table>
<tr>
<td class="icon">
<i class="fa icon-warning" title="Warning"></i>
</td>
<td class="content">
Before using this token exchange feature, it is required for an end user to be interactively logged in at least once to the Che Dashboard using the OpenShift login page. This step is needed to link the OpenShift and Keycloak user accounts properly and set the required user profile information.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect2">
<h3 id="authenticatinng-to-the-che-server-using-other-authentication-implementations_authenticating-to-the-che-server"><a class="anchor" href="#authenticatinng-to-the-che-server-using-other-authentication-implementations_authenticating-to-the-che-server"></a>Authenticating to the Che server using other authentication implementations</h3>
<div class="paragraph">
<p>This procedure describes how to use an OpenID Connect (OIDC) authentication implementation other than Keycloak.</p>
</div>
<div class="olist arabic">
<div class="title">Procedure</div>
<ol class="arabic">
<li>
<p>Update the authentication configuration parameters that are stored in the <code>multiuser.properties</code> file (such as client ID, authentication URL, realm name).</p>
</li>
<li>
<p>Write a single filter or a chain of filters to validate tokens, create the user in the Che dashboard, and compose the <code>subject</code> object.</p>
</li>
<li>
<p>If the new authorization provider supports the OpenID protocol, use the OIDC JS client library available at the settings endpoint because it is decoupled from specific implementations.</p>
</li>
<li>
<p>If the selected provider stores additional data about the user (first and last name, job title), it is recommended to write a provider-specific <strong>ProfileDao</strong> implementation that provides this information.</p>
</li>
</ol>
</div>
</div>
<div class="sect2">
<h3 id="authenticating-to-the-che-server-using-oauth_authenticating-to-the-che-server"><a class="anchor" href="#authenticating-to-the-che-server-using-oauth_authenticating-to-the-che-server"></a>Authenticating to the Che server using OAuth</h3>
<div class="paragraph">
<p>For easy user interaction with third-party services, the Che server supports OAuth authentication. OAuth tokens are also used for GitHub-related plug-ins.</p>
</div>
<div class="paragraph">
<p>OAuth authentication has two main flows:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">delegated</dt>
<dd>
<p>Default. Delegates OAuth authentication to Keycloak server.</p>
</dd>
<dt class="hdlist1">embedded</dt>
<dd>
<p>Uses built-in Che server mechanism to communicate with OAuth providers.</p>
</dd>
</dl>
</div>
<div class="paragraph">
<p>To switch between the two implementations, use the <code>che.oauth.service_mode=<em>&lt;embedded|delegated&gt;</em></code> configuration property.</p>
</div>
<div class="paragraph">
<p>The main REST endpoint in the OAuth API is <code>/api/oauth</code>, which contains:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>An authentication method, <code>/authenticate</code>, that the OAuth authentication flow can start with.</p>
</li>
<li>
<p>A callback method, <code>/callback</code>, to process callbacks from the provider.</p>
</li>
<li>
<p>A token GET method, <code>/token</code>, to retrieve the current user&#8217;s OAuth token.</p>
</li>
<li>
<p>A token DELETE method, <code>/token</code>, to invalidated the current user&#8217;s OAuth token.</p>
</li>
<li>
<p>A GET method, <code>/</code>, to get the list of configured identity providers.</p>
</li>
</ul>
</div>
</div>
<div class="sect2">
<h3 id="using-swagger-or-rest-clients-to-execute-queries_authenticating-to-the-che-server"><a class="anchor" href="#using-swagger-or-rest-clients-to-execute-queries_authenticating-to-the-che-server"></a>Using Swagger or REST clients to execute queries</h3>
<div class="paragraph">
<p>The user&#8217;s Keycloak token is used to execute queries to the secured API on the user&#8217;s behalf through REST clients. A valid token must be attached as the <strong>Request</strong> header or the <code>?token=$token</code> query parameter.</p>
</div>
<div class="paragraph">
<p>Access the Che Swagger interface at <code>+https+://<em><che-host></em>:<em><che-port></em>/swagger</code>. The user must be signed in through Keycloak, so that the access token is included in the <strong>Request</strong> header.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="authenticating-in-a-che-workspace_authenticating-users"><a class="anchor" href="#authenticating-in-a-che-workspace_authenticating-users"></a>Authenticating in a Che workspace</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Workspace containers may contain services that must be protected with authentication. Such protected services are called <strong>secure</strong>. To secure these services, use a machine authentication mechanism.</p>
</div>
<div class="paragraph">
<p>JWT tokens avoid the need to pass Keycloak tokens to workspace containers (which can be insecure). Also, Keycloak tokens may have a relatively shorter lifetime and require periodic renewals or refreshes, which is difficult to manage and keep in sync with the same user session tokens on clients.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="../_images/security/che-authentication-inside-the-workspace.png" alt="che authentication inside the workspace">
</div>
<div class="title">Figure 1. Authentication inside a workspace</div>
</div>
<div class="sect2">
<h3 id="creating-secure-servers_authenticating-in-a-che-workspace"><a class="anchor" href="#creating-secure-servers_authenticating-in-a-che-workspace"></a>Creating secure servers</h3>
<div class="paragraph">
<p>To create secure servers in Che workspaces, set the <code>secure</code> attribute of the endpoint to <code>true</code> in the <code>dockerimage</code> type component in the devfile.</p>
</div>
<div class="listingblock">
<div class="title">Devfile snippet for a secure server</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-yaml hljs" data-lang="yaml">components:
- type: dockerimage
endpoints:
- attributes:
secure: 'true'</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="workspace-jwt-token_authenticating-in-a-che-workspace"><a class="anchor" href="#workspace-jwt-token_authenticating-in-a-che-workspace"></a>Workspace JWT token</h3>
<div class="paragraph">
<p>Workspace tokens are JSON web tokens (<a href="https://jwt.io/">JWT</a>) that contain the following information in their claims:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>uid</code>: The ID of the user who owns this token</p>
</li>
<li>
<p><code>uname</code>: The name of the user who owns this token</p>
</li>
<li>
<p><code>wsid</code>: The ID of a workspace which can be queried with this token</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Every user is provided with a unique personal token for each workspace. The structure of a token and the signature are different than they are in Keycloak. The following is an example token view:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-json hljs" data-lang="json"># Header
{
"alg": "RS512",
"kind": "machine_token"
}
# Payload
{
"wsid": "workspacekrh99xjenek3h571",
"uid": "b07e3a58-ed50-4a6e-be17-fcf49ff8b242",
"uname": "john",
"jti": "06c73349-2242-45f8-a94c-722e081bb6fd"
}
# Signature
{
"value": "RSASHA256(base64UrlEncode(header) + . + base64UrlEncode(payload))"
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>The SHA-256 cipher with the RSA algorithm is used for signing JWT tokens. It is not configurable. Also, there is no public service that distributes the public part of the key pair with which the token is signed.</p>
</div>
</div>
<div class="sect2">
<h3 id="machine-token-validation_authenticating-in-a-che-workspace"><a class="anchor" href="#machine-token-validation_authenticating-in-a-che-workspace"></a>Machine token validation</h3>
<div class="paragraph">
<p>The validation of machine tokens (JWT tokens) is performed using a dedicated per-workspace service with <code>JWTProxy</code> running on it in a separate Pod. When the workspace starts, this service receives the public part of the SHA key from the Che server. A separate verification endpoint is created for each secure server. When traffic comes to that endpoint, <code>JWTProxy</code> tries to extract the token from the cookies or headers and validates it using the public-key part.</p>
</div>
<div class="paragraph">
<p>To query the Che server, a workspace server can use the machine token provided in the <code>CHE_MACHINE_TOKEN</code> environment variable. This token is the user&#8217;s who starts the workspace. The scope of such requests is restricted to the current workspace only. The list of allowed operations is also strictly limited.</p>
</div>
</div>
</div>
</div>
</article>
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
</div>
</main>
</div>
<footer class="footer">
<div><a href="https://www.eclipse.org" target="_blank">Eclipse Foundation</a> |
<a href="https://www.eclipse.org/legal/privacy.php" target="_blank">Privacy Policy</a> |
<a href="https://www.eclipse.org/legal/termsofuse.php" target="_blank">Terms of Use</a> |
<a href="https://www.eclipse.org/legal/epl-2.0/" target="_blank">Eclipse Public License</a> |
<a href="https://www.eclipse.org/legal" target="_blank">Legal Resources</a></div>
</footer>
<script src="../../../_/js/site.js"></script>
<script async src="../../../_/js/vendor/highlight.js"></script>
</body>
</html>