OpenShift - List OAuth Bearer Token using REST API

If you are not familiar with OAuth, check out What is an OAuth token.

This might seem a bit counter intuitive at first, but you must first get an OAuth token before you can list the OAuth tokens. Let's say you have issued this command to obtain an OAuth Bearer Token

curl
--insecure
--request GET
--user john.doe:itsasecret
--header "X-CSRF-Token: xxx"
--url "https://oauth-openshift.apps.openshift.example.com/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
--head | grep Location

 

Something like this should be returned. In this example, the Bearer Token is sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U.

Location: https://oauth-openshift.apps.openshift.example.com/oauth/token/implicit#access_token=sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U&expires_in=86400&scope=user%3Afull&token_type=Bearer

 

Notice in this example that https://oauth-openshift.apps.lab001.op.example.com/oauth/authorize is used. This value is defined in a config map in the openshift-authentication project / namespace.

~]$ oc describe configmap v4-0-config-system-metadata --namespace openshift-authentication
Name:         v4-0-config-system-metadata
Namespace:    openshift-authentication
Labels:       app=oauth-openshift
Annotations:  <none>

Data
====
oauthMetadata:
----
{
  "issuer": "https://oauth-openshift.apps.openshift.example.com",
  "authorization_endpoint": "https://oauth-openshift.apps.openshift.example.com/oauth/authorize",
  "token_endpoint": "https://oauth-openshift.apps.openshift.example.com/oauth/token",

 

Or using the oc get route command.

~]$ oc get route oauth-openshift --namespace openshift-authentication --output yaml | grep host
host: oauth-openshift.apps.lab001.op.example.com

 

Now you should be able to issue the following command to list all of the OAuth tokens. The oc config view or oc get apiserver commands can be used to display the API Server URL (api.openshift.example.com in this example).

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/apis/oauth.openshift.io/v1/oauthaccesstokens"

 

Something like this should be returned.

{
  "kind": "OAuthAccessTokenList",
  "apiVersion": "oauth.openshift.io/v1",
  "metadata": {
    "selfLink": "/apis/oauth.openshift.io/v1/oauthaccesstokens",
    "resourceVersion": "151605843"
  },
  "items": [
    {
      "metadata": {
        "name": "sha256~-wYkxX_9nGfjwAAUiPyEYc9iOdjLx7Y1iUp5iSYd-Ag",
        "selfLink": "/apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~-wYkxX_9nGfjwAAUiPyEYc9iOdjLx7Y1iUp5iSYd-Ag",
        "uid": "47c0469b-2095-4a36-9f31-1f8036b96f25",
        "resourceVersion": "150530883",
        "creationTimestamp": "2021-11-30T08:24:37Z",
        "managedFields": [
          {
            "manager": "oauth-server",
            "operation": "Update",
            "apiVersion": "oauth.openshift.io/v1",
            "time": "2021-11-30T08:24:37Z",
            "fieldsType": "FieldsV1",
            "fieldsV1": {"f:clientName":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}
          }
        ]
      },
      "clientName": "openshift-challenging-client",
      "expiresIn": 86400,
      "scopes": [
        "user:full"
      ],
      "redirectURI": "https://oauth-openshift.apps.openshift.example.com/oauth/token/implicit",
      "userName": "john.doe",
      "userUID": "27952747-48b7-43c6-8db5-6dbd1c604b8b"
    }
  ]
}

 

Or, you can include the access token string to see if a specific token exists.

curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~-wYkxX_9nGfjwAAUiPyEYc9iOdjLx7Y1iUp5iSYd-Ag"

 

If the token does not exist, something like this should be returned.

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "oauthaccesstokens.oauth.openshift.io \"sha256~por0plpJbbFy8F0D-ylYjRbmvz8Wq2DV15l6-lLDWTE\" not found",
  "reason": "NotFound",
  "details": {
    "name": "sha256~por0plpJbbFy8F0D-ylYjRbmvz8Wq2DV15l6-lLDWTE",
    "group": "oauth.openshift.io",
    "kind": "oauthaccesstokens"
  },
  "code": 404
}

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 383e3 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |