@@ -11,7 +11,6 @@ func init() {

 		&MasterConfig{},

 		&NodeConfig{},

-		&IdentityProviderUsage{},

 		&IdentityProvider{},

 		&BasicAuthPasswordIdentityProvider{},

 		&AllowAllPasswordIdentityProvider{},

@@ -25,7 +24,6 @@ func init() {

 	)

 }

-func (*IdentityProviderUsage) IsAnAPIObject()             {}

 func (*IdentityProvider) IsAnAPIObject()                  {}

 func (*BasicAuthPasswordIdentityProvider) IsAnAPIObject() {}

 func (*AllowAllPasswordIdentityProvider) IsAnAPIObject()  {}

@@ -146,9 +146,9 @@ type AssetConfig struct {

 	// PublicURL is where you can find the asset server (TODO do we really need this?)

 	PublicURL string

-	// LogoutURI is an optional, absolute URI to redirect web browsers to after logging out of the web console.

+	// LogoutURL is an optional, absolute URL to redirect web browsers to after logging out of the web console.

 	// If not specified, the built-in logout page is shown.

-	LogoutURI string

+	LogoutURL string

 	// MasterPublicURL is how the web console can access the OpenShift api server

 	MasterPublicURL string

@@ -159,7 +159,7 @@ type AssetConfig struct {

 }

 type OAuthConfig struct {

-	// MasterURL is used for building valid client redirect URLs for external access

+	// MasterURL is used for building valid client redirect URLs for internal access

 	MasterURL string

 	// MasterPublicURL is used for building valid client redirect URLs for external access

@@ -196,20 +196,13 @@ type SessionConfig struct {

 	SessionName string

 }

-type IdentityProviderUsage struct {

-	// ProviderName is used to qualify the identities returned by this provider

-	ProviderName string

-

+type IdentityProvider struct {

+	// Name is used to qualify the identities returned by this provider

+	Name string

 	// UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider

 	UseAsChallenger bool

 	// UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against

 	UseAsLogin bool

-}

-

-type IdentityProvider struct {

-	// Usage contains metadata about how to use this provider

-	Usage IdentityProviderUsage

-

 	// Provider contains the information about how to set up a specific identity provider

 	Provider runtime.EmbeddedObject

 }

@@ -242,7 +235,7 @@ type RequestHeaderIdentityProvider struct {

 	// ClientCA is a file with the trusted signer certs.  If empty, no request verification is done, and any direct request to the OAuth server can impersonate any identity from this provider, merely by setting a request header.

 	ClientCA string

 	// Headers is the set of headers to check for identity information

-	Headers util.StringSet

+	Headers []string

 }

 type OAuthRedirectingIdentityProvider struct {

@@ -2,7 +2,6 @@ package v1

 import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/conversion"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

 	newer "github.com/openshift/origin/pkg/cmd/server/api"

 )

@@ -22,6 +21,20 @@ func init() {

 			out.KeyFile = in.ServerCert.KeyFile

 			return nil

 		},

+		func(in *RemoteConnectionInfo, out *newer.RemoteConnectionInfo, s conversion.Scope) error {

+			out.URL = in.URL

+			out.CA = in.CA

+			out.ClientCert.CertFile = in.CertFile

+			out.ClientCert.KeyFile = in.KeyFile

+			return nil

+		},

+		func(in *newer.RemoteConnectionInfo, out *RemoteConnectionInfo, s conversion.Scope) error {

+			out.URL = in.URL

+			out.CA = in.CA

+			out.CertFile = in.ClientCert.CertFile

+			out.KeyFile = in.ClientCert.KeyFile

+			return nil

+		},

 		func(in *EtcdConnectionInfo, out *newer.EtcdConnectionInfo, s conversion.Scope) error {

 			out.URLs = in.URLs

 			out.CA = in.CA

@@ -50,20 +63,6 @@ func init() {

 			out.KeyFile = in.ClientCert.KeyFile

 			return nil

 		},

-		func(in *RequestHeaderIdentityProvider, out *newer.RequestHeaderIdentityProvider, s conversion.Scope) error {

-			if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-				return err

-			}

-			out.Headers = util.NewStringSet(in.HeadersSlice...)

-			return nil

-		},

-		func(in *newer.RequestHeaderIdentityProvider, out *RequestHeaderIdentityProvider, s conversion.Scope) error {

-			if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-				return err

-			}

-			out.HeadersSlice = in.Headers.List()

-			return nil

-		},

 	)

 	if err != nil {

 		// If one of the conversion functions is malformed, detect it immediately.

@@ -12,7 +12,6 @@ func init() {

 		&MasterConfig{},

 		&NodeConfig{},

-		&IdentityProviderUsage{},

 		&IdentityProvider{},

 		&BasicAuthPasswordIdentityProvider{},

 		&AllowAllPasswordIdentityProvider{},

@@ -26,7 +25,6 @@ func init() {

 	)

 }

-func (*IdentityProviderUsage) IsAnAPIObject()             {}

 func (*IdentityProvider) IsAnAPIObject()                  {}

 func (*BasicAuthPasswordIdentityProvider) IsAnAPIObject() {}

 func (*AllowAllPasswordIdentityProvider) IsAnAPIObject()  {}

@@ -145,9 +145,9 @@ type AssetConfig struct {

 	// PublicURL is where you can find the asset server (TODO do we really need this?)

 	PublicURL string `json:"publicURL"`

-	// LogoutURI is an optional, absolute URI to redirect web browsers to after logging out of the web console.

+	// LogoutURL is an optional, absolute URL to redirect web browsers to after logging out of the web console.

 	// If not specified, the built-in logout page is shown.

-	LogoutURI string `json:"logoutURI"`

+	LogoutURL string `json:"logoutURL"`

 	// MasterPublicURL is how the web console can access the OpenShift v1beta3 server

 	MasterPublicURL string `json:"masterPublicURL"`

@@ -192,16 +192,14 @@ type SessionConfig struct {

 	SessionName string `json:"sessionName"`

 }

-type IdentityProviderUsage struct {

-	ProviderName string `json:"providerName"`

-

-	UseAsChallenger bool `json:"challenge"`

-	UseAsLogin      bool `json:"login"`

-}

-

 type IdentityProvider struct {

-	Usage IdentityProviderUsage `json:"usage"`

-

+	// Name is used to qualify the identities returned by this provider

+	Name string `json:"name"`

+	// UseAsChallenger indicates whether to issue WWW-Authenticate challenges for this provider

+	UseAsChallenger bool `json:"challenge"`

+	// UseAsLogin indicates whether to use this identity provider for unauthenticated browsers to login against

+	UseAsLogin bool `json:"login"`

+	// Provider contains the information about how to set up a specific identity provider

 	Provider runtime.RawExtension `json:"provider"`

 }

@@ -228,8 +226,8 @@ type HTPasswdPasswordIdentityProvider struct {

 type RequestHeaderIdentityProvider struct {

 	v1beta3.TypeMeta `json:",inline"`

-	ClientCA     string   `json:"clientCA"`

-	HeadersSlice []string `json:"headers"`

+	ClientCA string   `json:"clientCA"`

+	Headers  []string `json:"headers"`

 }

 type OAuthRedirectingIdentityProvider struct {

@@ -83,6 +83,13 @@ func ValidateAssetConfig(config *api.AssetConfig) fielderrors.ValidationErrorLis

 	allErrs = append(allErrs, ValidateServingInfo(config.ServingInfo).Prefix("servingInfo")...)

+	if len(config.LogoutURL) > 0 {

+		_, urlErrs := ValidateURL(config.LogoutURL, "logoutURL")

+		if len(urlErrs) > 0 {

+			allErrs = append(allErrs, urlErrs...)

+		}

+	}

+

 	urlObj, urlErrs := ValidateURL(config.PublicURL, "publicURL")

 	if len(urlErrs) > 0 {

 		allErrs = append(allErrs, urlErrs...)

@@ -3,6 +3,7 @@ package validation

 import (

 	"fmt"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util/fielderrors"

 	"github.com/openshift/origin/pkg/cmd/server/api"

 )

@@ -28,10 +29,11 @@ func ValidateOAuthConfig(config *api.OAuthConfig) fielderrors.ValidationErrorLis

 	allErrs = append(allErrs, ValidateGrantConfig(config.GrantConfig).Prefix("grantConfig")...)

-	redirectingIdentityProviders := []int{}

+	providerNames := util.NewStringSet()

+	redirectingIdentityProviders := []string{}

 	for i, identityProvider := range config.IdentityProviders {

-		if identityProvider.Usage.UseAsLogin {

-			redirectingIdentityProviders = append(redirectingIdentityProviders, i)

+		if identityProvider.UseAsLogin {

+			redirectingIdentityProviders = append(redirectingIdentityProviders, identityProvider.Name)

 			if api.IsPasswordAuthenticator(identityProvider) {

 				if config.SessionConfig == nil {

@@ -41,6 +43,13 @@ func ValidateOAuthConfig(config *api.OAuthConfig) fielderrors.ValidationErrorLis

 		}

 		allErrs = append(allErrs, ValidateIdentityProvider(identityProvider).Prefix(fmt.Sprintf("identityProvider[%d]", i))...)

+

+		if len(identityProvider.Name) > 0 {

+			if providerNames.Has(identityProvider.Name) {

+				allErrs = append(allErrs, fielderrors.NewFieldInvalid(fmt.Sprintf("identityProvider[%d].name", i), identityProvider.Name, "must have a unique name"))

+			}

+			providerNames.Insert(identityProvider.Name)

+		}

 	}

 	if len(redirectingIdentityProviders) > 1 {

@@ -53,8 +62,8 @@ func ValidateOAuthConfig(config *api.OAuthConfig) fielderrors.ValidationErrorLis

 func ValidateIdentityProvider(identityProvider api.IdentityProvider) fielderrors.ValidationErrorList {

 	allErrs := fielderrors.ValidationErrorList{}

-	if len(identityProvider.Usage.ProviderName) == 0 {

-		allErrs = append(allErrs, fielderrors.NewFieldRequired("usage.providerName"))

+	if len(identityProvider.Name) == 0 {

+		allErrs = append(allErrs, fielderrors.NewFieldRequired("name"))

 	}

 	if !api.IsIdentityProviderType(identityProvider.Provider) {

@@ -68,11 +77,11 @@ func ValidateIdentityProvider(identityProvider api.IdentityProvider) fielderrors

 			if len(provider.Headers) == 0 {

 				allErrs = append(allErrs, fielderrors.NewFieldRequired("provider.headers"))

 			}

-			if identityProvider.Usage.UseAsChallenger {

-				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.useAsChallenger", identityProvider.Usage.UseAsChallenger, "request header providers cannot be used for challenges"))

+			if identityProvider.UseAsChallenger {

+				allErrs = append(allErrs, fielderrors.NewFieldInvalid("challenge", identityProvider.UseAsChallenger, "request header providers cannot be used for challenges"))

 			}

-			if identityProvider.Usage.UseAsLogin {

-				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.useAsLogin", identityProvider.Usage.UseAsChallenger, "request header providers cannot be used for browser login"))

+			if identityProvider.UseAsLogin {

+				allErrs = append(allErrs, fielderrors.NewFieldInvalid("login", identityProvider.UseAsChallenger, "request header providers cannot be used for browser login"))

 			}

 		case (*api.BasicAuthPasswordIdentityProvider):

@@ -91,8 +100,8 @@ func ValidateIdentityProvider(identityProvider api.IdentityProvider) fielderrors

 			if !api.IsOAuthProviderType(provider.Provider) {

 				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.provider", provider.Provider, fmt.Sprintf("%v is invalid in this context", identityProvider.Provider)))

 			}

-			if identityProvider.Usage.UseAsChallenger {

-				allErrs = append(allErrs, fielderrors.NewFieldInvalid("provider.useAsChallenger", identityProvider.Usage.UseAsChallenger, "oauth providers cannot be used for challenges"))

+			if identityProvider.UseAsChallenger {

+				allErrs = append(allErrs, fielderrors.NewFieldInvalid("challenge", identityProvider.UseAsChallenger, "oauth providers cannot be used for challenges"))

 			}

 		}

@@ -79,6 +79,9 @@ func ValidateRemoteConnectionInfo(remoteConnectionInfo api.RemoteConnectionInfo)

 	if len(remoteConnectionInfo.URL) == 0 {

 		allErrs = append(allErrs, fielderrors.NewFieldRequired("url"))

+	} else {

+		_, urlErrs := ValidateURL(remoteConnectionInfo.URL, "url")

+		allErrs = append(allErrs, urlErrs...)

 	}

 	if len(remoteConnectionInfo.CA) > 0 {

@@ -114,7 +114,7 @@ func (c *AssetConfig) buildHandler() (http.Handler, error) {

 		OAuthAuthorizeURI: OpenShiftOAuthAuthorizeURL(masterURL.String()),

 		OAuthRedirectBase: c.Options.PublicURL,

 		OAuthClientID:     OpenShiftWebConsoleClientID,

-		LogoutURI:         c.Options.LogoutURI,

+		LogoutURI:         c.Options.LogoutURL,

 	}

 	handler := http.FileServer(

@@ -307,12 +307,12 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand

 				return nil, err

 			}

-			if identityProvider.Usage.UseAsLogin {

+			if identityProvider.UseAsLogin {

 				redirectors["login"] = &redirector{RedirectURL: OpenShiftLoginPrefix, ThenParam: "then"}

 				login := login.NewLogin(getCSRF(), &callbackPasswordAuthenticator{passwordAuth, successHandler}, login.DefaultLoginFormRenderer)

 				login.Install(mux, OpenShiftLoginPrefix)

 			}

-			if identityProvider.Usage.UseAsChallenger {

+			if identityProvider.UseAsChallenger {

 				challengers["login"] = passwordchallenger.NewBasicAuthChallenger("openshift")

 			}

@@ -324,10 +324,10 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand

 				switch provider.Provider.Object.(type) {

 				case (*configapi.GoogleOAuthProvider):

 					callbackPath = path.Join(OpenShiftOAuthCallbackPrefix, "google")

-					oauthProvider = google.NewProvider(identityProvider.Usage.ProviderName, provider.ClientID, provider.ClientSecret)

+					oauthProvider = google.NewProvider(identityProvider.Name, provider.ClientID, provider.ClientSecret)

 				case (*configapi.GitHubOAuthProvider):

 					callbackPath = path.Join(OpenShiftOAuthCallbackPrefix, "github")

-					oauthProvider = github.NewProvider(identityProvider.Usage.ProviderName, provider.ClientID, provider.ClientSecret)

+					oauthProvider = github.NewProvider(identityProvider.Name, provider.ClientID, provider.ClientSecret)

 				default:

 					return nil, fmt.Errorf("unexpected oauth provider %#v", provider)

 				}

@@ -339,10 +339,10 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, errorHandler hand

 				}

 				mux.Handle(callbackPath, oauthHandler)

-				if identityProvider.Usage.UseAsLogin {

-					redirectors[identityProvider.Usage.ProviderName] = oauthHandler

+				if identityProvider.UseAsLogin {

+					redirectors[identityProvider.Name] = oauthHandler

 				}

-				if identityProvider.Usage.UseAsChallenger {

+				if identityProvider.UseAsChallenger {

 					return nil, errors.New("oauth identity providers cannot issue challenges")

 				}

 			}

@@ -358,7 +358,7 @@ func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.Identit

 	switch provider := identityProvider.Provider.Object.(type) {

 	case (*configapi.AllowAllPasswordIdentityProvider):

-		return allowanypassword.New(identityProvider.Usage.ProviderName, identityMapper), nil

+		return allowanypassword.New(identityProvider.Name, identityMapper), nil

 	case (*configapi.DenyAllPasswordIdentityProvider):

 		return denypassword.New(), nil

@@ -368,7 +368,7 @@ func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.Identit

 		if len(htpasswdFile) == 0 {

 			return nil, fmt.Errorf("HTPasswdFile is required to support htpasswd auth")

 		}

-		if htpasswordAuth, err := htpasswd.New(identityProvider.Usage.ProviderName, htpasswdFile, identityMapper); err != nil {

+		if htpasswordAuth, err := htpasswd.New(identityProvider.Name, htpasswdFile, identityMapper); err != nil {

 			return nil, fmt.Errorf("Error loading htpasswd file %s: %v", htpasswdFile, err)

 		} else {

 			return htpasswordAuth, nil

@@ -379,7 +379,7 @@ func (c *AuthConfig) getPasswordAuthenticator(identityProvider configapi.Identit

 		if len(basicAuthURL) == 0 {

 			return nil, fmt.Errorf("BasicAuthURL is required to support basic password auth")

 		}

-		return basicauthpassword.New(identityProvider.Usage.ProviderName, basicAuthURL, identityMapper), nil

+		return basicauthpassword.New(identityProvider.Name, basicAuthURL, identityMapper), nil

 	default:

 		return nil, fmt.Errorf("No password auth found that matches %v.  The oauth server cannot start!", identityProvider)

@@ -396,7 +396,7 @@ func (c *AuthConfig) getAuthenticationSuccessHandler() handlers.AuthenticationSu

 	addedRedirectSuccessHandler := false

 	for _, identityProvider := range c.Options.IdentityProviders {

-		if !identityProvider.Usage.UseAsLogin {

+		if !identityProvider.UseAsLogin {

 			continue

 		}

@@ -437,9 +437,9 @@ func (c *AuthConfig) getAuthenticationRequestHandler() (authenticator.Request, e

 				var authRequestHandler authenticator.Request

 				authRequestConfig := &headerrequest.Config{

-					UserNameHeaders: provider.Headers.List(),

+					UserNameHeaders: provider.Headers,

 				}

-				authRequestHandler = headerrequest.NewAuthenticator(identityProvider.Usage.ProviderName, authRequestConfig, identityMapper)

+				authRequestHandler = headerrequest.NewAuthenticator(identityProvider.Name, authRequestConfig, identityMapper)

 				// Wrap with an x509 verifier

 				if len(provider.ClientCA) > 0 {

@@ -164,7 +164,7 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 				BindAddress: args.GetAssetBindAddress(),

 			},

-			LogoutURI:           "",

+			LogoutURL:           "",

 			MasterPublicURL:     masterPublicAddr.String(),

 			PublicURL:           assetPublicAddr.String(),

 			KubernetesPublicURL: kubePublicAddr.String(),

@@ -287,11 +287,9 @@ func (args MasterArgs) BuildSerializeableOAuthConfig() (*configapi.OAuthConfig,

 	config.IdentityProviders = append(config.IdentityProviders,

 		configapi.IdentityProvider{

-			Usage: configapi.IdentityProviderUsage{

-				ProviderName:    "anypassword",

-				UseAsChallenger: true,

-				UseAsLogin:      true,

-			},

+			Name:            "anypassword",

+			UseAsChallenger: true,

+			UseAsLogin:      true,

 			Provider: runtime.EmbeddedObject{

 				&configapi.AllowAllPasswordIdentityProvider{},

 			},

@@ -29,11 +29,9 @@ func TestHTPasswd(t *testing.T) {

 	}

 	masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{

-		Usage: configapi.IdentityProviderUsage{

-			ProviderName:    "htpasswd",

-			UseAsChallenger: true,

-			UseAsLogin:      true,

-		},

+		Name:            "htpasswd",

+		UseAsChallenger: true,

+		UseAsLogin:      true,

 		Provider: runtime.EmbeddedObject{

 			&configapi.HTPasswdPasswordIdentityProvider{

 				File: htpasswdFile.Name(),

@@ -11,7 +11,6 @@ import (

 	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

-	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

 	"github.com/openshift/origin/pkg/client"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

@@ -106,15 +105,13 @@ func TestOAuthRequestHeader(t *testing.T) {

 	}

 	masterOptions.OAuthConfig.IdentityProviders[0] = configapi.IdentityProvider{

-		Usage: configapi.IdentityProviderUsage{

-			ProviderName:    "requestheader",

-			UseAsChallenger: false,

-			UseAsLogin:      false,

-		},

+		Name:            "requestheader",

+		UseAsChallenger: false,

+		UseAsLogin:      false,

 		Provider: runtime.EmbeddedObject{

 			&configapi.RequestHeaderIdentityProvider{

 				ClientCA: caFile.Name(),

-				Headers:  util.NewStringSet("My-Remote-User", "SSO-User"),

+				Headers:  []string{"My-Remote-User", "SSO-User"},

 			},

 		},

 	}