diff --git a/pkg/models/auth/authenticator.go b/pkg/models/auth/authenticator.go
index eb0cb07243..1689a593db 100644
--- a/pkg/models/auth/authenticator.go
+++ b/pkg/models/auth/authenticator.go
@@ -46,12 +46,17 @@ var (
 )
 
 // PasswordAuthenticator is an interface implemented by authenticator which take a
-// username and password. provider refers to the identity provider`s name,
-// if the provider is empty, authenticate from kubesphere account
+// username ,password and provider. provider refers to the identity provider`s name,
+// if the provider is empty, authenticate from kubesphere account. Note that implement this
+// interface you should also obey the error specification defined at "k8s.io/apimachinery/pkg/api/errors.Error",
+// or the server cannot handle error correctly.
 type PasswordAuthenticator interface {
 	Authenticate(ctx context.Context, provider, username, password string) (authuser.Info, string, error)
 }
 
+// OAuthAuthenticator authenticate users by OAuth 2.0 Authorization Framework. Note that implement this
+// interface you should also obey the error specification defined at "k8s.io/apimachinery/pkg/api/errors.Error",
+// or the server cannot handle error correctly.
 type OAuthAuthenticator interface {
 	Authenticate(ctx context.Context, provider string, req *http.Request) (authuser.Info, string, error)
 }
diff --git a/pkg/models/auth/password.go b/pkg/models/auth/password.go
index b5d2e90a5d..560d432395 100644
--- a/pkg/models/auth/password.go
+++ b/pkg/models/auth/password.go
@@ -59,13 +59,13 @@ func (p *passwordAuthenticator) Authenticate(_ context.Context, provider, userna
 		return nil, "", IncorrectPasswordError
 	}
 	if provider != "" {
-		return p.providerAuthenticate(provider, username, password)
+		return p.authByProvider(provider, username, password)
 	}
-	return p.accountAuthenticate(username, password)
+	return p.authByKubeSphere(username, password)
 }
 
-// accountAuthenticate authenticate the kubesphere account
-func (p *passwordAuthenticator) accountAuthenticate(username, password string) (authuser.Info, string, error) {
+// authByKubeSphere authenticate by the kubesphere user
+func (p *passwordAuthenticator) authByKubeSphere(username, password string) (authuser.Info, string, error) {
 	user, err := p.userGetter.findUser(username)
 	if err != nil {
 		// ignore not found error
@@ -109,7 +109,8 @@ func (p *passwordAuthenticator) accountAuthenticate(username, password string) (
 	return nil, "", IncorrectPasswordError
 }
 
-func (p *passwordAuthenticator) providerAuthenticate(provider, username, password string) (authuser.Info, string, error) {
+// authByProvider authenticate by the third-party identity provider user
+func (p *passwordAuthenticator) authByProvider(provider, username, password string) (authuser.Info, string, error) {
 	providerOptions, err := p.authOptions.OAuthOptions.IdentityProviderOptions(provider)
 	if err != nil {
 		klog.Error(err)