Obtain the Authentication Token Using the oidc-auth Shell Script

You can obtain the authentication token using the oidc-auth shell script.

About this task

You can use the oidc-auth script both locally on the active controller, as well as on a remote workstation where you are running kubectl and helm commands.

The oidc-auth script retrieves the ID token from Windows Active Directory using the OIDC client, and dex, and updates the Kubernetes credential for the user in the kubectl config file.

  • On controller-0, oidc-auth is installed as part of the base StarlingX installation, and ready to use.

  • On remote hosts, oidc-auth must be installed from a StarlingX mirror.

  • On a remote host, when using directly installed kubectl and helm, the following setup is required:

    • Install “Python Mechanize” module using the following command:

      sudo pip2 install mechanize


oidc-auth script supports authenticating with a StarlingX oidc-auth-apps configured with single, or multiple ldap connectors.


  1. Run oidc-auth script in order to authenticate and update user credentials in kubectl config file with the retrieved token.

    • If oidc-auth-apps is deployed with a single backend ldap connector, run the following command:

      ~(keystone_admin)]$ oidc-auth -c <ip> -u <username>

      For example,

      ~(keystone_admin)]$ oidc-auth -c <OAM_ip_address> -u testuser
      Login succeeded.
      Updating kubectl config ...
      User testuser set.
    • If oidc-auth-apps is deployed with multiple backend ldap connectors, run the following command:

      ~(keystone_admin)]$ oidc-auth -b <connector-id> -c <ip> -u <username>


    If you are running oidc-auth within the StarlingX containerized remote CLI, you must use the -p <password> option to run the command non-interactively.