How to get Openshift session token using rest api calls
Solution 1
I have found the answer in this GitHub issue.
Surprisingly, one curl command is enough to get the token:
curl -u joe:password -kv -H "X-CSRF-Token: xxx" 'https://master.cluster.local:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token'
The response is going to be an HTTP 302 trying to redirect to another URL. The redirection URL will contain the token, for example:
Location: https://master.cluster.local:8443/oauth/token/display#access_token=VO4dAgNGLnX5MGYu_wXau8au2Rw0QAqnwq8AtrLkMfU&expires_in=86400&token_type=bearer
Solution 2
You can use token or combination user/password. To use username:password in header, you can use Authorizartion: Basic. The oc client commands are doing simple authentication with your user and password in header. Like this
curl -H "Authorization: Basic <SOMEHASH>"
where the hash is exactly base64 encoded username:password. (try it with echo -n "username:password" | base64).
To use token, you can obtain the token here with curl:
curl -H Authorization: Basic $(echo -n username:password | base64)" https://openshift.example.com:8443/oauth/authorize\?response_type\=token\&client_id\=openshift-challenging-client
But the token is replied in the ugly format format. You can try to grep it
... | grep -oP "access_token=\K[ˆ&]*"
Solution 3
You need to use the correct url for your oauth server. In my case, I use openshift 4.7 and this is the url:
https://oauth-openshift.apps.<clustername><domain>/oauth/authorize\?response_type\=token\&client_id\=openshift-challenging-client
oc get route oauth-openshift -n openshift-authentication -o json | jq .spec.host
Comments
-
Perennialista almost 2 years
As part of an automated tests suite I have to use OpenShift's REST APIs to send commands and get OpenShift's status. To authenticate these API calls I need to embed an authorization token in every call.
Currently, I get this token by executing the following commands with ssh on the machine where OpenShift is installed:
oc login --username=<uname> --password=<password> oc whoami --show-token
I would like to stop using the oc tool completely and get this token using HTTP calls to the APIs but am not really able to find a document that explains how to use it. If I use the option
--loglevel=10
when calling oc commands I can see the HTTP calls made byoc
when logging in but it is quite difficult for me to reverse-engineer the process from these logs.Theoretically this is not something specific to OpenShift but rather to the OAuth protocol, I have found some documentation like the one posted here but I still find it difficult to implement without specific examples.
If that helps, I am developing this tool using ruby (not rails).
P.S. I know that normally for this type of job one should use Service Account Tokens but since this is a testing environment the OpenShift installation gets removed and reinstalled fairly often. This would force me to re-create the service account every time with the oc command line tool and again prevent me from automatizing the process.
-
Perennialista about 6 yearsYou mean I could avoid using the token and just using username/password encoded in base64 format?
-
anonymous about 6 yearsYes, you can use the username/password. However, the whole auth is based on tokens. You can also create a sa and secret, add admin role to the sa and use it's token to auth against openshift. For some automated script, it is better to use sa.
-
Perennialista about 6 yearsThank you for your answer but I don't see how this is different from the answer I posted, I use username and password to obtain a token and afterwards use that token for my API calls. I also specify in the question that I want to avoid using Service Accounts.
-
Başar Söker about 3 yearsUnfortunately, none of them worked for me. I can login with "oc login" command but these curl commands fail with the 403 error. Can anyone help me with that? P.S: My cluster version is 4.6. Thanks in advance.
-
vlatko606 almost 2 yearsPerennialista, by any chance you know how I can resolve the same thing using postman? Bumping my head for a while in order to resolve it