Chapter 3. Authentication

An authorization token is a secret value that is used to automatically log in to an OpenShift Enterprise account without entering login information each time. A token is also used to grant another user full or partial access to an account, determined by the scope of the token. The following table describes the different types of scopes available with authorization tokens.

When the client tools are installed and the rhc setup command is initially run to configure the client tools, the setup wizard prompts you to create an authorization token. If you answer YES, the wizard creates a session token in the ~/.openshift directory. With this token, all client tool commands can be run without entering your login credentials each time. When the token expires you are automatically prompted to reenter login information to renew the existing token. See the OpenShift Enterprise Client Tools Installation Guide for more information on installing and configuring the client tools.

If an authorization token was not created when the client tools were installed, run the setup wizard again with the rhc setup command to create one.

If an existing authorization token is no longer required and you do not wish to be prompted for token renewal, run the rhc logout command to delete the token.

Create a new authorization token with the following command: Specify the scope for the token with the --scopes option, and a name for the token with the --note option.

rhc authorization add --scopes session --note My_Token
Adding authorization ... done

My_token
--------
  Token:      787a57211d42f251204136b05d490038830d9b7057f54f816c2a9fcd0c8333b8
  Scopes:     session
  Created:    4:40 PM
  Expires In: about 1 day

rhc authorization add --scopes session --note My_Token
Adding authorization ... done

My_token
--------
  Token:      787a57211d42f251204136b05d490038830d9b7057f54f816c2a9fcd0c8333b8
  Scopes:     session
  Created:    4:40 PM
  Expires In: about 1 day

After creating a new authorization token, use the --token token_string global option to run rhc commands as the user associated with the authorization token that was provided.

View the tokens associated with your account with the following command:

rhc authorization list

$ rhc authorization list

rhc authorization list

$ rhc authorization list
My_token
--------
  Token:      787a57211d42f251204136b05d490038830d9b7057f54f816c2a9fcd0c8333b8
  Scopes:     session
  Created:    4:40 PM
  Expires In: about 23 hours

RHC/1.8.0 (from laptop.example.com on x86_64-linux)
---------------------------------------------------
  Token:      28f6e375dc7ea57b0dcabb3850d08ee9bc023f7df5dbfa4958afe7ad71d33e37
  Scopes:     session
  Created:    12:58 PM
  Expires In: about 19 hours

Delete authorization tokens when they are no longer required, or to end access to your account by other users:

Delete one or more tokens with the following command, separating multiple tokens with commas:

Delete all tokens associated with your account with the following command: