CloudsArk
Administration Openshift

oc login and OpenShift Authentication — A Practical Guide

How oc login works, how to configure OAuth identity providers, manage tokens, troubleshoot login failures, and switch between multiple clusters.

8 min read Updated 2026-05-18
oc authentication openshift security

Basic login

# Interactive login
oc login https://api.cluster.example.com:6443

# With credentials
oc login -u admin -p mypassword https://api.cluster.example.com:6443

# With a token (from the web console or an existing session)
oc login --token=sha256~abc123... https://api.cluster.example.com:6443

After login, oc stores credentials in ~/.kube/config. You can also get a fresh token from the web console at User menu → Copy login command.

Check current session

oc whoami
oc whoami --show-token
oc status
oc project            # current project (namespace)
oc projects           # list all projects you can see

Switch between clusters

# List all contexts
oc config get-contexts

# Switch context
oc config use-context my-other-cluster

# Alias for convenience
alias oc-prod='oc --context=prod-cluster'

Configure OAuth identity providers

OpenShift uses OAuth for user authentication. The built-in OAuth server supports multiple identity providers.

htpasswd provider

# Create the htpasswd file
htpasswd -c -B htpasswd.file admin
htpasswd -B htpasswd.file dev-user

# Create the secret
oc create secret generic htpasswd-secret \
  --from-file=htpasswd=htpasswd.file \
  -n openshift-config

# Patch the OAuth config
oc edit oauth cluster

spec:
  identityProviders:
  - name: htpasswd_provider
    mappingMethod: claim
    type: HTPasswd
    htpasswd:
      fileData:
        name: htpasswd-secret

Grant cluster-admin

oc adm policy add-cluster-role-to-user cluster-admin admin

Troubleshoot login failures

# Check OAuth pods are running
oc get pods -n openshift-authentication

# View OAuth server logs
oc logs -n openshift-authentication deployment/oauth-openshift

# Verify the identity provider config
oc get oauth cluster -o yaml

# Check if the user exists
oc get users
oc get identity

Common errors

Error Cause Fix
connection refused Wrong API URL or port Verify oc cluster-info
certificate signed by unknown authority Self-signed cert Add --insecure-skip-tls-verify=true (dev only)
invalid credentials Wrong password or provider Check identity provider logs
user not found First login issue Verify oc get identity after first login attempt

Token management

# List your active tokens
oc get oauthaccesstokens -l user.openshift.io/name=admin

# Delete a specific token (log out a session)
oc delete oauthaccesstoken <token-name>

# Log out current session
oc logout

Key takeaways

  • Use oc login --token=... for automation and CI pipelines.
  • Store credentials in a Secret when using service accounts, not personal tokens.
  • Always test new identity provider configurations with a secondary admin account before removing the kubeadmin user.

Keep exploring

More Openshift

All articles
oc Commands

oc Whoami Explained

9 min read oc Commands

oc Status Explained

9 min read oc Commands

oc Start Build Examples

9 min read