If you are not familiar with OAuth, check out What is an OAuth token.
This might seem a bit counter intuitive at first, but you must first get an OAuth token before you can list the OAuth tokens. Let's say you have issued this command to obtain an OAuth Bearer Token.
curl
--insecure
--request GET
--user john.doe:itsasecret
--header "X-CSRF-Token: xxx"
--url "https://oauth-openshift.apps.openshift.example.com/oauth/authorize?response_type=token&client_id=openshift-challenging-client"
--head | grep Location
Something like this should be returned. In this example, the Bearer Token is sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U.
Location: https://oauth-openshift.apps.openshift.example.com/oauth/token/implicit#access_token=sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U&expires_in=86400&scope=user%3Afull&token_type=Bearer
Notice in this example that https://oauth-openshift.apps.lab001.op.example.com/oauth/authorize is used. This value is defined in a config map in the openshift-authentication project / namespace.
~]$ oc describe configmap v4-0-config-system-metadata --namespace openshift-authentication
Name: v4-0-config-system-metadata
Namespace: openshift-authentication
Labels: app=oauth-openshift
Annotations: <none>
Data
====
oauthMetadata:
----
{
"issuer": "https://oauth-openshift.apps.openshift.example.com",
"authorization_endpoint": "https://oauth-openshift.apps.openshift.example.com/oauth/authorize",
"token_endpoint": "https://oauth-openshift.apps.openshift.example.com/oauth/token",
Or using the oc get route command.
~]$ oc get route oauth-openshift --namespace openshift-authentication --output yaml | grep host
host: oauth-openshift.apps.lab001.op.example.com
Now you should be able to issue the following command to list all of the OAuth tokens. The oc config view or oc get apiserver commands can be used to display the API Server URL (api.openshift.example.com in this example).
curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/apis/oauth.openshift.io/v1/oauthaccesstokens"
Something like this should be returned.
{
"kind": "OAuthAccessTokenList",
"apiVersion": "oauth.openshift.io/v1",
"metadata": {
"selfLink": "/apis/oauth.openshift.io/v1/oauthaccesstokens",
"resourceVersion": "151605843"
},
"items": [
{
"metadata": {
"name": "sha256~-wYkxX_9nGfjwAAUiPyEYc9iOdjLx7Y1iUp5iSYd-Ag",
"selfLink": "/apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~-wYkxX_9nGfjwAAUiPyEYc9iOdjLx7Y1iUp5iSYd-Ag",
"uid": "47c0469b-2095-4a36-9f31-1f8036b96f25",
"resourceVersion": "150530883",
"creationTimestamp": "2021-11-30T08:24:37Z",
"managedFields": [
{
"manager": "oauth-server",
"operation": "Update",
"apiVersion": "oauth.openshift.io/v1",
"time": "2021-11-30T08:24:37Z",
"fieldsType": "FieldsV1",
"fieldsV1": {"f:clientName":{},"f:expiresIn":{},"f:redirectURI":{},"f:scopes":{},"f:userName":{},"f:userUID":{}}
}
]
},
"clientName": "openshift-challenging-client",
"expiresIn": 86400,
"scopes": [
"user:full"
],
"redirectURI": "https://oauth-openshift.apps.openshift.example.com/oauth/token/implicit",
"userName": "john.doe",
"userUID": "27952747-48b7-43c6-8db5-6dbd1c604b8b"
}
]
}
Or, you can include the access token string to see if a specific token exists.
curl
--insecure
--request GET
--header "Accept: application/json"
--header "Authorization: Bearer sha256~0Rs__hPuXmBD3TJTXNDisC7wRBN-nrFnYTxgdBrFT-U"
--url "https://api.openshift.example.com:6443/apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~-wYkxX_9nGfjwAAUiPyEYc9iOdjLx7Y1iUp5iSYd-Ag"
If the token does not exist, something like this should be returned.
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "oauthaccesstokens.oauth.openshift.io \"sha256~por0plpJbbFy8F0D-ylYjRbmvz8Wq2DV15l6-lLDWTE\" not found",
"reason": "NotFound",
"details": {
"name": "sha256~por0plpJbbFy8F0D-ylYjRbmvz8Wq2DV15l6-lLDWTE",
"group": "oauth.openshift.io",
"kind": "oauthaccesstokens"
},
"code": 404
}
Did you find this article helpful?
If so, consider buying me a coffee over at 