The OpenShift Container Platform master includes a built-in OAuth server. users obtain OAuth
access tokens to authenticate themselves to the API.
When a person requests a new OAuth token, the OAuth server uses the configured
identity
provider
to determine the identity of the person making the request.
It then determines what user that identity maps to, creates an access token for
that user, and returns the token for use.
Every request for an OAuth token must specify the OAuth client that will
receive and use the token. The following OAuth clients are automatically created
when starting the OpenShift Container Platform API:
OAuth Client |
Usage |
openshift-web-console |
Requests tokens for the web console. |
openshift-browser-client |
Requests tokens at <master>/oauth/token/request with a user-agent that can handle interactive logins. |
openshift-challenging-client |
Requests tokens with a user-agent that can handle WWW-Authenticate challenges. |
To register additional clients:
$ oc create -f <(echo '
kind: OAuthClient
apiVersion: v1
metadata:
name: demo (1)
secret: "..." (2)
redirectURIs:
- "http://www.example.com/" (3)
grantMethod: prompt (4)
')
1 |
The name of the OAuth client is used as the client_id parameter when making requests to <master>/oauth/authorize and <master>/oauth/token . |
2 |
The secret is used as the client_secret parameter when making requests to <master>/oauth/token . |
3 |
The redirect_uri parameter specified in requests to <master>/oauth/authorize and <master>/oauth/token must be equal to (or prefixed by) one of the URIs in redirectURIs . |
4 |
The grantMethod is used to determine what action to take when this client requests tokens and has not yet been granted access by the user. Uses the same values seen in Grant Options. |
Service Accounts as OAuth Clients
A
service
account can be used as a constrained form of OAuth client. Service accounts can
only request a subset of
scopes that
allow access to some basic user information and role-based power inside of the
service account’s own namespace:
When using a service account as an OAuth client:
-
client_id
is system:serviceaccount:<serviceaccount namespace>:<serviceaccount name>
.
-
client_secret
can be any of the API tokens for that service account. For example:
$ oc sa get-token <serviceaccount name>
-
redirect_uri
must match an annotation on the service account that has the
prefix serviceaccounts.openshift.io/oauth-redirecturi
. For example,
serviceaccounts.openshift.io/oauth-redirecturi.one
.
-
To get WWW-Authenticate
challenges, set an
serviceaccounts.openshift.io/oauth-want-challenges
annotation on the service
account to true.
All requests for OAuth tokens involve a request to <master>/oauth/authorize
.
Most authentication integrations place an authenticating proxy in front of this
endpoint, or configure OpenShift Container Platform to validate credentials against a backing
identity
provider.
Requests to <master>/oauth/authorize
can come from user-agents that cannot
display interactive login pages, such as the CLI. Therefore, OpenShift Container Platform
supports authenticating using a WWW-Authenticate
challenge in addition to
interactive login flows.
If an authenticating proxy is placed in front of the
<master>/oauth/authorize
endpoint, it should send unauthenticated,
non-browser user-agents WWW-Authenticate
challenges, rather than displaying an
interactive login page or redirecting to an interactive login flow.
|
To prevent cross-site request forgery (CSRF) attacks against browser clients, Basic authentication challenges
should only be sent if a X-CSRF-Token header is present on the request. Clients that expect
to receive Basic WWW-Authenticate challenges should set this header to a non-empty value.
If the authenticating proxy cannot support WWW-Authenticate challenges, or if
OpenShift Container Platform is configured to use an identity provider that does not support
WWW-Authenticate challenges, users can visit <master>/oauth/token/request
using a browser to obtain an access token manually.
|
Run the following command to request an OAuth token by using the authorization code
grant method:
$ curl -H "X-Remote-user: <username>" \
--cacert /etc/origin/master/ca.crt \
--cert /etc/origin/master/admin.crt \
--key /etc/origin/master/admin.key \
-I https://<master-address>/oauth/authorize?response_type=token\&client_id=openshift-challenging-client | grep -oP "access_token=\K[^&]*"
When requesting an OAuth token using the implicit grant flow
(response_type=token
) with a client_id configured to request WWW-Authenticate
challenges
(like openshift-challenging-client
), these are the possible server
responses from /oauth/authorize
, and how they should be handled:
Status |
Content |
Client response |
|
Location header containing an access_token parameter in the URL fragment (RFC 4.2.2)
|
Use the access_token value as the OAuth token
|
|
Location header containing an error query parameter (RFC 4.1.2.1)
|
Fail, optionally surfacing the error (and optional error_description ) query values to the user
|
|
|
Follow the redirect, and process the result using these rules
|
|
WWW-Authenticate header present
|
Respond to challenge if type is recognized (e.g. Basic , Negotiate , etc), resubmit request, and process the result using these rules
|
|
WWW-Authenticate header missing
|
No challenge authentication is possible. Fail and show response body (which might contain links or details on alternate methods to obtain an OAuth token)
|
|
|
Fail, optionally surfacing response body to the user
|
To request an OAuth token using the implicit grant flow:
$ curl -u <username>:<password>
'https://<master-address>:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token' -skv / (1)
/ -H "X-CSRF-Token: xxx" (2)
* Trying 10.64.33.43...
* Connected to 10.64.33.43 (10.64.33.43) port 8443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: 10.64.33.43 (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=10.64.33.43
* start date: Thu, 09 Aug 2018 04:00:39 GMT
* expire date: Sat, 08 Aug 2020 04:00:40 GMT
* issuer: CN=openshift-signer@1531109367
* compression: NULL
* ALPN, server accepted to use http/1.1
* Server auth using Basic with user 'developer'
> GET /oauth/authorize?client_id=openshift-challenging-client&response_type=token HTTP/1.1
> Host: 10.64.33.43:8443
> Authorization: Basic ZGV2ZWxvcGVyOmRzc2Zkcw==
> user-Agent: curl/7.47.0
> Accept: */*
> X-CSRF-Token: xxx
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Location:
https://10.64.33.43:8443/oauth/token/implicit#access_token=gzTwOq_mVJ7ovHliHBTgRQEEXa1aCZD9lnj7lSw3ekQ&expires_in=86400&scope=user%3Afull&token_type=Bearer (3)
< Pragma: no-cache
< Set-Cookie: ssn=MTUzNTk0OTc1MnxIckVfNW5vNFlLSlF5MF9GWEF6Zm55Vl95bi1ZNE41S1NCbFJMYnN1TWVwR1hwZmlLMzFQRklzVXRkc0RnUGEzdnBEa0NZZndXV2ZUVzN1dmFPM2dHSUlzUmVXakQ3Q09rVXpxNlRoVmVkQU5DYmdLTE9SUWlyNkJJTm1mSDQ0N2pCV09La3gzMkMzckwxc1V1QXpybFlXT2ZYSmI2R2FTVEZsdDBzRjJ8vk6zrQPjQUmoJCqb8Dt5j5s0b4wZlITgKlho9wlKAZI=; Path=/; HttpOnly; Secure
< Date: Mon, 03 Sep 2018 04:42:32 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host 10.64.33.43 left intact
1 |
client-id is set to openshift-challenging-client and response-type is
set to token . |
2 |
Set X-CSRF-Token header to a non-empty value. |
3 |
The token is returned in the Location header of the 302 response as
access_token=gzTwOq_mVJ7ovHliHBTgRQEEXa1aCZD9lnj7lSw3ekQ . |
To view only the OAuth token value, run the following command:
$ curl -u <username>:<password>
'https://<master-address>:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token' (1)
-skv -H "X-CSRF-Token: xxx" --stderr - | grep -oP "access_token=\K[^&]*" (2)
hvqxe5aMlAzvbqfM2WWw3D6tR0R2jCQGKx0viZBxwmc
1 |
client-id is set to openshift-challenging-client and response-type is
set to token . |
2 |
Set X-CSRF-Token header to a non-empty value. |
You can also use the Code Grant
method to request a token