302
The OpenShift Container Platform master includes a built-in OAuth server. Users obtain OAuth access tokens to authenticate themselves to the API.
When a person requests a new OAuth token, the OAuth server uses the configured identity provider to determine the identity of the person making the request.
It then determines what user that identity maps to, creates an access token for that user, and returns the token for use.
The OAuth server supports standard authorization code grant and the implicit grant OAuth authorization flows.
When requesting an OAuth token using the implicit grant flow
(response_type=token
) with a client_id configured to request WWW-Authenticate challenges
(like openshift-challenging-client
), these are the possible server
responses from /oauth/authorize
, and how they should be handled:
Status | Content | Client response |
---|---|---|
302 |
|
Use the |
302 |
|
Fail, optionally surfacing the |
302 |
Other |
Follow the redirect, and process the result using these rules |
401 |
|
Respond to challenge if type is recognized (e.g. |
401 |
|
No challenge authentication is possible. Fail and show response body (which might contain links or details on alternate methods to obtain an OAuth token) |
Other |
Other |
Fail, optionally surfacing response body to the user |
Several configuration options are available for the internal OAuth server.
The internal OAuth server generates two kinds of tokens:
Access tokens |
Longer-lived tokens that grant access to the API. |
Authorize codes |
Short-lived tokens whose only use is to be exchanged for an access token. |
You can configure the default duration for both types of token. If necessary,
you can override the duration of the access token by using an OAuthClient
object definition.
When the OAuth server receives token requests for a client to which the user has not previously granted permission, the action that the OAuth server takes is dependent on the OAuth client’s grant strategy.
The OAuth client requesting token must provide its own grant strategy.
You can apply the following default methods:
auto
|
Auto-approve the grant and retry the request. |
prompt
|
Prompt the user to approve or deny the grant. |
You can configure default options for the internal OAuth server’s token duration.
By default, tokens are only valid for 24 hours. existing sessions expire after this time elapses. |
If the default time is insufficient, then this can be modified using the following procedure.
Create a configuration file that contains the token duration options. The following file sets this to 48 hours, twice the default.
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
tokenConfig:
accessTokenMaxAgeSeconds: 172800 (1)
1 | Set accessTokenMaxAgeSeconds to control the lifetime of access tokens.
The default lifetime is 24 hours, or 86400 seconds. This attribute cannot
be negative. |
Apply the new configuration file:
Because you update the existing OAuth server, you must use the |
$ oc apply -f </path/to/file.yaml>
Confirm that the changes are in effect:
$ oc describe oauth.config.openshift.io/cluster ... Spec: Token Config: Access Token Max Age Seconds: 172800 ...
If you need an additional OAuth client to manage authentication for your OpenShift Container Platform cluster, you can register one.
To register additional OAuth clients:
$ oc create -f <(echo '
kind: OAuthClient
apiVersion: oauth.openshift.io/v1
metadata:
name: demo (1)
secret: "..." (2)
redirectURIs:
- "http://www.example.com/" (3)
grantMethod: prompt (4)
')
1 | The name of the OAuth client is used as the client_id parameter when
making requests to <namespace_route>/oauth/authorize and
<namespace_route>/oauth/token . |
2 | The secret is used as the client_secret parameter when making requests
to <namespace_route>/oauth/token . |
3 | The redirect_uri parameter specified in requests to
<namespace_route>/oauth/authorize and <namespace_route>/oauth/token
must be equal to or prefixed by one of the URIs listed in the
redirectURIs parameter value. |
4 | The grantMethod is used to determine what action to take when this
client requests tokens and has not yet been granted access by the user.
Specify auto to automatically approve the grant and retry the request,
or prompt to prompt the user to approve or deny the grant. |
Applications running in OpenShift Container Platform might have to discover information
about the built-in OAuth server. For example, they might have to discover
what the address of the <namespace_route>
is without manual
configuration. To aid in this, OpenShift Container Platform implements the IeTF
OAuth 2.0 Authorization Server Metadata draft specification.
Thus, any application running inside the cluster can issue a GeT
request
to https://openshift.default.svc/.well-known/oauth-authorization-server
to fetch the following information:
{ "issuer": "https://<namespace_route>", (1) "authorization_endpoint": "https://<namespace_route>/oauth/authorize", (2) "token_endpoint": "https://<namespace_route>/oauth/token", (3) "scopes_supported": [ (4) "user:full", "user:info", "user:check-access", "user:list-scoped-projects", "user:list-projects" ], "response_types_supported": [ (5) "code", "token" ], "grant_types_supported": [ (6) "authorization_code", "implicit" ], "code_challenge_methods_supported": [ (7) "plain", "S256" ] }
1 | The authorization server’s issuer identifier, which is a URL that uses the
https scheme and has no query or fragment components. This is the location
where .well-known RFC 5785 resources
containing information about the authorization server are published. |
2 | URL of the authorization server’s authorization endpoint. See RFC 6749. |
3 | URL of the authorization server’s token endpoint. See RFC 6749. |
4 | JSON array containing a list of the OAuth 2.0 RFC 6749 scope values that this authorization server supports. Note that not all supported scope values are advertised. |
5 | JSON array containing a list of the OAuth 2.0 response_type values that this
authorization server supports. The array values used are the same as those used
with the response_types parameter defined by "OAuth 2.0 Dynamic Client
Registration Protocol" in RFC 7591. |
6 | JSON array containing a list of the OAuth 2.0 grant type values that this
authorization server supports. The array values used are the same as those used
with the grant_types parameter defined by
OAuth 2.0 Dynamic Client Registration Protocol in
RFC 7591. |
7 | JSON array containing a list of PKCe
RFC 7636 code challenge methods
supported by this authorization server. Code challenge method values are used in
the code_challenge_method parameter defined in
Section 4.3 of RFC 7636.
The valid code challenge method values are those registered in the IANA
PKCe Code Challenge Methods registry. See
IANA OAuth Parameters. |
In some cases the API server returns an unexpected condition
error message
that is difficult to debug without direct access to the API master log.
The underlying reason for the error is purposely obscured in order
to avoid providing an unauthenticated user with information about the server’s state.
A subset of these errors is related to service account OAuth configuration issues.
These issues are captured in events that can be viewed by non-administrator users. When encountering
an unexpected condition
server error during OAuth, run oc get events
to view these events under ServiceAccount
.
The following example warns of a service account that is missing a proper OAuth redirect URI:
$ oc get events | grep ServiceAccount 1m 1m 1 proxy ServiceAccount Warning NoSAOAuthRedirectURIs service-account-oauth-client-getter system:serviceaccount:myproject:proxy has no redirectURIs; set serviceaccounts.openshift.io/oauth-redirecturi.<some-value>=<redirect> or create a dynamic URI using serviceaccounts.openshift.io/oauth-redirectreference.<some-value>=<reference>
Running oc describe sa/<service-account-name>
reports any OAuth events associated with the given service account name.
$ oc describe sa/proxy | grep -A5 events events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message --------- -------- ----- ---- ------------- -------- ------ ------- 3m 3m 1 service-account-oauth-client-getter Warning NoSAOAuthRedirectURIs system:serviceaccount:myproject:proxy has no redirectURIs; set serviceaccounts.openshift.io/oauth-redirecturi.<some-value>=<redirect> or create a dynamic URI using serviceaccounts.openshift.io/oauth-redirectreference.<some-value>=<reference>
The following is a list of the possible event errors:
No redirect URI annotations or an invalid URI is specified
Reason Message NoSAOAuthRedirectURIs system:serviceaccount:myproject:proxy has no redirectURIs; set serviceaccounts.openshift.io/oauth-redirecturi.<some-value>=<redirect> or create a dynamic URI using serviceaccounts.openshift.io/oauth-redirectreference.<some-value>=<reference>
Invalid route specified
Reason Message NoSAOAuthRedirectURIs [routes.route.openshift.io "<name>" not found, system:serviceaccount:myproject:proxy has no redirectURIs; set serviceaccounts.openshift.io/oauth-redirecturi.<some-value>=<redirect> or create a dynamic URI using serviceaccounts.openshift.io/oauth-redirectreference.<some-value>=<reference>]
Invalid reference type specified
Reason Message NoSAOAuthRedirectURIs [no kind "<name>" is registered for version "v1", system:serviceaccount:myproject:proxy has no redirectURIs; set serviceaccounts.openshift.io/oauth-redirecturi.<some-value>=<redirect> or create a dynamic URI using serviceaccounts.openshift.io/oauth-redirectreference.<some-value>=<reference>]
Missing SA tokens
Reason Message NoSAOAuthTokens system:serviceaccount:myproject:proxy has no tokens