Chapter 4. Configuring OAuth clients
Several OAuth clients are created by default in OpenShift Container Platform. You can also register and configure additional OAuth clients.
4.1. Default OAuth clients
The following OAuth clients are automatically created when starting the OpenShift Container Platform API:
| OAuth client | Usage |
|---|---|
|
|
Requests tokens at |
|
|
Requests tokens with a user-agent that can handle |
|
| Requests tokens by using a local HTTP server fetching an authorization code grant. |
<namespace_route>refers to the namespace route. This is found by running the following command:$ oc get route oauth-openshift -n openshift-authentication -o json | jq .spec.host
4.2. Registering an additional OAuth client
If you need an additional OAuth client to manage authentication for your OpenShift Container Platform cluster, you can register one.
Procedure
To register additional OAuth clients:
$ oc create -f <(echo ' kind: OAuthClient apiVersion: oauth.openshift.io/v1 metadata: name: demo 1 secret: "..." 2 redirectURIs: - "http://www.example.com/" 3 grantMethod: prompt 4 ')
- 1
- The
nameof the OAuth client is used as theclient_idparameter when making requests to<namespace_route>/oauth/authorizeand<namespace_route>/oauth/token. - 2
- The
secretis used as theclient_secretparameter when making requests to<namespace_route>/oauth/token. - 3
- The
redirect_uriparameter specified in requests to<namespace_route>/oauth/authorizeand<namespace_route>/oauth/tokenmust be equal to or prefixed by one of the URIs listed in theredirectURIsparameter value. - 4
- The
grantMethodis used to determine what action to take when this client requests tokens and has not yet been granted access by the user. Specifyautoto automatically approve the grant and retry the request, orpromptto prompt the user to approve or deny the grant.
4.3. Configuring token inactivity timeout for an OAuth client
You can configure OAuth clients to expire OAuth tokens after a set period of inactivity. By default, no token inactivity timeout is set.
If the token inactivity timeout is also configured in the internal OAuth server configuration, the timeout that is set in the OAuth client overrides that value.
Prerequisites
-
You have access to the cluster as a user with the
cluster-adminrole. - You have configured an identity provider (IDP).
Procedure
Update the
OAuthClientconfiguration to set a token inactivity timeout.Edit the
OAuthClientobject:$ oc edit oauthclient <oauth_client> 1- 1
- Replace
<oauth_client>with the OAuth client to configure, for example,console.
Add the
accessTokenInactivityTimeoutSecondsfield and set your timeout value:apiVersion: oauth.openshift.io/v1 grantMethod: auto kind: OAuthClient metadata: ... accessTokenInactivityTimeoutSeconds: 600 1- 1
- The minimum allowed timeout value in seconds is
300.
- Save the file to apply the changes.
Verification
- Log in to the cluster with an identity from your IDP. Be sure to use the OAuth client that you just configured.
- Perform an action and verify that it was successful.
- Wait longer than the configured timeout without using the identity. In this procedure’s example, wait longer than 600 seconds.
Try to perform an action from the same identity’s session.
This attempt should fail because the token should have expired due to inactivity longer than the configured timeout.
