diff --git a/modules/rosa-configure.adoc b/modules/rosa-configure.adoc index d7b43d5a1ddf..6e76c62286e3 100644 --- a/modules/rosa-configure.adoc +++ b/modules/rosa-configure.adoc @@ -12,25 +12,35 @@ Use the following commands to configure the {product-title} (ROSA) CLI, `rosa`. == login There are several methods you can use to log into your Red{nbsp}Hat account using the {product-title} (ROSA) CLI (`rosa`). These methods are described in detail below. -[IMPORTANT] -==== -An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. Alternatively, the Red{nbsp}Hat secure browser-based single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and is the Red{nbsp}Hat recommended method of authentication. -==== - -// Furthermore, offline authentication tokens are usually stored on your device by your operating system, which means other apps on your machine can access a token if the token is not properly secured. These offline tokens are long-lived and cannot be revoked. Users must copy and paste them manually which creates a security risk. Because of these factors, Red{nbsp}Hat recommends using the single sign-on method when logging into your account with the ROSA CLI (`rosa`). This method is more secure than logging in with an offline token. +// [IMPORTANT] +// ==== +// An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. Alternatively, the Red{nbsp}Hat secure browser-based single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and is the Red{nbsp}Hat recommended method of authentication. // ==== - [id="rosa-login-sso_{context}"] -=== login with single sign-on (SSO) authorization code +=== Authenticating the {product-title} (ROSA) CLI with Red Hat Single Sign-On + +You can log in to the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on (SSO) authorization code. Red{nbsp}Hat recommends using the `rosa` command line tool with Red{nbsp}Hat single Sign-On, instead of using an offline authentication token. -If your system supports a web-based browser, you can log in to the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on (SSO) authorization code. +An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. + +Alternatively, authenticating with the Red{nbsp}Hat single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and reduces the risk of unauthorized access. + +If your system has a web browser, follow the steps in Section 4.9.1, “Logging in to the OpenShift Cluster Manager CLI (ocm-cli) tool with a Red Hat Single Sign-On authorization code” to authenticate with Red Hat Single Sign-On. + +If you are working with containers, remote hosts, or other environments without a web browser, follow the steps in Section 4.9.2, “Logging in to the OpenShift Cluster Manager CLI with a Red Hat Single Sign-On device code” to authenticate with Red Hat Single Sign-On. + +Clean this up: The new secure method of authenticating using Red Hat Single Sign-On will not break any existing automations that rely on offline tokens. To use offline tokens for automation or other purposes, you can download the OpenShift Cluster Manager API token from the OpenShift Cluster Manager API Token page. Use service accounts, available on the Service Accounts page, for automation purposes. [NOTE] ==== Single sign-on authorization is supported with ROSA CLI (`rosa`) version 1.2.36 or later. ==== +[id="rosa-login-sso_auth{context}"] +=== Authenticating the {product-title} (ROSA) CLI with Red Hat Single Sign-On authorization code + + . To log into the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on authorization code, run the following command: +