OpenShift OAuth Authentication Sequence
Jump to navigation
Jump to search
Internal
curl
curl -v -I --insecure "https://openshift-master1:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client" --user ovidiu:ovidiu123 -H "X-CSRF-Token: 1"
* Trying 172.20.2.1... * Connected to openshift-master1 (172.20.2.1) port 8443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: openshift-master1 * Server certificate: openshift-signer@1442020517 * Server auth using Basic with user 'ovidiu' > HEAD /oauth/authorize?response_type=token&client_id=openshift-challenging-client HTTP/1.1 > Host: openshift-master1:8443 > Authorization: Basic b3ZpZGl1Om92aWRpdTEyMw== > User-Agent: curl/7.43.0 > Accept: */* > X-CSRF-Token: 1 > < HTTP/1.1 302 Found HTTP/1.1 302 Found < Cache-Control: no-cache, no-store, max-age=0, must-revalidate Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Expires: Fri, 01 Jan 1990 00:00:00 GMT Expires: Fri, 01 Jan 1990 00:00:00 GMT < Location: https://openshift-master1:8443/oauth/token/display#access_token=A4wQqlpbYx9t2CyefgE_3DbMMlmFxaFEqwUspbslcdY&expires_in=86400&token_type=bearer Location: https://openshift-master1:8443/oauth/token/display#access_token=A4wQqlpbYx9t2CyefgE_3DbMMlmFxaFEqwUspbslcdY&expires_in=86400&token_type=bearer < Pragma: no-cache Pragma: no-cache < Set-Cookie: ssn=MTQ0NDMyNDk3MXxQUURHYnB1WUEwWEZyRGxhTkwzSTRZU2tjem5Ud1QtY2NIN3ZxWnN2ZW5JYWpVUXJieUc1WEZmV1RaWFlFeHJqTDZFNVRUM3NhTlBfeGdlME9WanVhWUJRdXE1NzhQdlY2dFUtaVVyTGI4U3VOS244WllJRHhEQXYtQ2hLbnJreWF3PT188Enelep1w-0d9B_KTB4FR6ej9XI55T09Aplt3SAoa2Y=; Path=/; Expires=Thu, 08 Oct 2015 18:22:51 UTC; Max-Age=3600; HttpOnly; Secure Set-Cookie: ssn=MTQ0NDMyNDk3MXxQUURHYnB1WUEwWEZyRGxhTkwzSTRZU2tjem5Ud1QtY2NIN3ZxWnN2ZW5JYWpVUXJieUc1WEZmV1RaWFlFeHJqTDZFNVRUM3NhTlBfeGdlME9WanVhWUJRdXE1NzhQdlY2dFUtaVVyTGI4U3VOS244WllJRHhEQXYtQ2hLbnJreWF3PT188Enelep1w-0d9B_KTB4FR6ej9XI55T09Aplt3SAoa2Y=; Path=/; Expires=Thu, 08 Oct 2015 18:22:51 UTC; Max-Age=3600; HttpOnly; Secure < Date: Thu, 08 Oct 2015 17:22:51 GMT Date: Thu, 08 Oct 2015 17:22:51 GMT < Content-Type: text/plain; charset=utf-8 Content-Type: text/plain; charset=utf-8 < * Connection #0 to host openshift-master1 left intact
Sequence of Calls with oc
These are not actually individual curl commands, they're are reported by oc as it talks with the OpenShift server:
Starts with an unauthenticated call:
I1007 11:55:41.037136 2176 debugging.go:101] curl -k -v -XGET -H "User-Agent: oc/v3.0.1.0 (linux/amd64) openshift/e51f583" https://openshift-master1:8443/oapi/v1/users/~
I1007 11:55:41.050006 2176 debugging.go:120] GET https://openshift-master1:8443/oapi/v1/users/~ 403 Forbidden in 12 milliseconds
I1007 11:55:41.050023 2176 debugging.go:126] Response Headers:
I1007 11:55:41.050027 2176 debugging.go:129] Cache-Control: no-store
I1007 11:55:41.050030 2176 debugging.go:129] Content-Type: application/json
I1007 11:55:41.050034 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:55:41 GMT
I1007 11:55:41.050037 2176 debugging.go:129] Content-Length: 262
I1007 11:55:41.050052 2176 request.go:777] Response Body: {
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"system:anonymous\" cannot get users at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "~",
"kind": "users"
},
"code": 403
}
Call just got rejected with 403, so oc sends an authentication request:
I1007 11:55:41.050293 2176 debugging.go:101] curl -k -v -XGET -H "X-Csrf-Token: 1" https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token I1007 11:55:41.063290 2176 debugging.go:120] GET https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token 401 Unauthorized in 12 milliseconds I1007 11:55:41.063305 2176 debugging.go:126] Response Headers: I1007 11:55:41.063309 2176 debugging.go:129] Www-Authenticate: Basic realm="openshift" I1007 11:55:41.063313 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:55:41 GMT I1007 11:55:41.063316 2176 debugging.go:129] Content-Length: 0 I1007 11:55:41.063320 2176 debugging.go:129] Content-Type: text/plain; charset=utf-8
The server says that Basic authentication is required so the oc challenges the user for password:
Authentication required for https://openshift-master1:8443 (openshift) Password:
Then it sends the token request:
I1007 11:56:18.548557 2176 debugging.go:101] curl -k -v -XGET -H "X-Csrf-Token: 1" -H "Authorization: Basic b3ZpZGl1Om92aWRpdTEyMw==" https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token I1007 11:56:18.553456 2176 debugging.go:120] GET https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token 302 Found in 4 milliseconds I1007 11:56:18.553469 2176 debugging.go:126] Response Headers: I1007 11:56:18.553473 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:56:18 GMT I1007 11:56:18.553477 2176 debugging.go:129] Content-Length: 0 I1007 11:56:18.553481 2176 debugging.go:129] Content-Type: text/plain; charset=utf-8 I1007 11:56:18.553484 2176 debugging.go:129] Cache-Control: no-cache, no-store, max-age=0, must-revalidate I1007 11:56:18.553488 2176 debugging.go:129] Expires: Fri, 01 Jan 1990 00:00:00 GMT I1007 11:56:18.553491 2176 debugging.go:129] Location: https://openshift-master1:8443/oauth/token/display#access_token=Wvgp_89KM-OsOjfQb-wISSfxPFRJdfckAoFMBOrk7Qo&expires_in=86400&token_type=bearer I1007 11:56:18.553495 2176 debugging.go:129] Pragma: no-cache I1007 11:56:18.553499 2176 debugging.go:129] Set-Cookie: ssn=MTQ0NDI0NDE3OHxYNDZISlNJWjltZm9yZWNnYXFFQ1hnc1JoZFhKaGRhQllSQzFKeXQtZXNXdGFXX0FLSVFnRDNKRTVtdElmNHBsWnN3T3pOcGR4NnNoSkpuN0dydl9ZcW5Bb1RmYkFsVERBVU1FRllKWVB3VVFiT2x6MG1wS0RXQ3F3cHA3RUtROXVRPT18TMngt7y32mFpZduFDaifFFuGudq2FhmpJodDui9nQ68=; Path=/; Expires=Wed, 07 Oct 2015 19:56:18 UTC; Max-Age=3600; HttpOnly; Secure
OAuth-authenticated call:
I1007 11:56:18.555716 2176 debugging.go:101] curl -k -v -XGET -H "User-Agent: oc/v3.0.1.0 (linux/amd64) openshift/e51f583" -H "Authorization: Bearer Wvgp_89KM-OsOjfQb-wISSfxPFRJdfckAoFMBOrk7Qo" https://openshift-master1:8443/oapi/v1/users/~
I1007 11:56:18.569062 2176 debugging.go:120] GET https://openshift-master1:8443/oapi/v1/users/~ 200 OK in 13 milliseconds
I1007 11:56:18.569077 2176 debugging.go:126] Response Headers:
I1007 11:56:18.569081 2176 debugging.go:129] Content-Type: application/json
I1007 11:56:18.569084 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:56:18 GMT
I1007 11:56:18.569087 2176 debugging.go:129] Content-Length: 259
I1007 11:56:18.569091 2176 debugging.go:129] Cache-Control: no-store
I1007 11:56:18.569103 2176 request.go:777] Response Body: {"kind":"User","apiVersion":"v1","metadata":{"name":"ovidiu","selfLink":"/oapi/v1/users/ovidiu","uid":"47d29b8e-6874-11e5-98d6-08002733d9bd","resourceVersion":"175262","creationTimestamp":"2015-10-01T19:40:33Z"},"identities":["htpasswd:ovidiu"],"groups":null}
Login successful.
Sequence of Calls after Submitting the Web Login Form from Browser
Initial POST that contains the credentials:
POST /login HTTP/1.1 Host: openshift-master1:8443 Connection: keep-alive Content-Length: 264 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: https://openshift-master1:8443 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: https://openshift-master1:8443/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth&csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd&username=ovidiu&password=ovidiu123
Response, redirect to /oauth/authorize:
HTTP/1.1 302 Found Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, X-Requested-With, If-Modified-Since Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: https://openshift-master1:8443 Location: /oauth/authorize?client_id=openshift-web-console&response_type=token&state=%2F&redirect_uri=https%3A%2F%2Fopenshift-master1%3A8443%2Fconsole%2Foauth Set-Cookie: ssn=MTQ0NDI0MTk5OXxkREVTUFBVT0dpbnpyc1d5UFlEWU5nVmVPVElsNTYweTA1NDRGb0JBMFVwc0NuMVh3akJlcFZUelJSZWhkLTh3c3VBWmxtdTNPWG9LX1B6VDlmRmtvMHlpalZacTFNS2tCT2lnaWdCSWp3dWItX0twTGpzZjF0MFFCLXM0aUZIbTUyZ3h1SVNBZHhzR3JlUlhzTE5wWXJXVUtTQmFRRkVCZnpESUVqckxHa1B5bU1aeWVvSllvZ2gwWnc9PXwt8MACDlKKjlaJSYQf6eEpH4k3G13YWKTWiAbik50F1A==; Path=/; Expires=Wed, 07 Oct 2015 19:19:59 UTC; Max-Age=3600; HttpOnly; Secure Date: Wed, 07 Oct 2015 18:19:59 GMT Content-Length: 0 Content-Type: text/plain; charset=utf-8
GET that actually requests the OAuth Token:
GET /oauth/authorize?client_id=openshift-web-console&response_type=token&state=%2F&redirect_uri=https%3A%2F%2Fopenshift-master1%3A8443%2Fconsole%2Foauth HTTP/1.1 Host: openshift-master1:8443 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Referer: https://openshift-master1:8443/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd; ssn=MTQ0NDI0MTk5OXxkREVTUFBVT0dpbnpyc1d5UFlEWU5nVmVPVElsNTYweTA1NDRGb0JBMFVwc0NuMVh3akJlcFZUelJSZWhkLTh3c3VBWmxtdTNPWG9LX1B6VDlmRmtvMHlpalZacTFNS2tCT2lnaWdCSWp3dWItX0twTGpzZjF0MFFCLXM0aUZIbTUyZ3h1SVNBZHhzR3JlUlhzTE5wWXJXVUtTQmFRRkVCZnpESUVqckxHa1B5bU1aeWVvSllvZ2gwWnc9PXwt8MACDlKKjlaJSYQf6eEpH4k3G13YWKTWiAbik50F1A==
Response that contains the OAuth Token (9JZZJ8A_rEJOWeOWrG-QpvvyWW_0gX1u_0wckh3_nt0):
HTTP/1.1 302 Found Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Fri, 01 Jan 1990 00:00:00 GMT Location: https://openshift-master1:8443/console/oauth#access_token=9JZZJ8A_rEJOWeOWrG-QpvvyWW_0gX1u_0wckh3_nt0&expires_in=86400&state=/&token_type=bearer Pragma: no-cache Set-Cookie: ssn=MTQ0NDI0MTk5OXxfQlRJNi1KYi1TOXVfQnJBQ3pKcGEwNVpVU3ZOTTRGZmpZc0R2WVk5WTNMMGhZa0paLVA0REdUWko0OTUwbE1uM2xJM2ptbHhVVWdsblpDVzdfc0RXN3R5S3AweGQ5MC05UG4tdkJEVXJmYlNSS2lZdzN5b1RhU2pFQXVzQ0dpNW5BPT18KpNW4i1JJEXIWBK0zBHG00cttMZxoBB0SDKJFIyuYpY=; Path=/; Expires=Wed, 07 Oct 2015 19:19:59 UTC; Max-Age=3600; HttpOnly; Secure Date: Wed, 07 Oct 2015 18:19:59 GMT Content-Length: 0 Content-Type: text/plain; charset=utf-8
GET redirect to content :
GET /console/oauth HTTP/1.1 Host: openshift-master1:8443 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Referer: https://openshift-master1:8443/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd; ssn=MTQ0NDI0MTk5OXxfQlRJNi1KYi1TOXVfQnJBQ3pKcGEwNVpVU3ZOTTRGZmpZc0R2WVk5WTNMMGhZa0paLVA0REdUWko0OTUwbE1uM2xJM2ptbHhVVWdsblpDVzdfc0RXN3R5S3AweGQ5MC05UG4tdkJEVXJmYlNSS2lZdzN5b1RhU2pFQXVzQ0dpNW5BPT18KpNW4i1JJEXIWBK0zBHG00cttMZxoBB0SDKJFIyuYpY=
Response - Authenticated access to Console:
Cache-Control: public, max-age=0, must-revalidate Content-Encoding: gzip Content-Type: text/html; charset=utf-8 Etag: W/"e51f583_677a6970" Vary: Accept-Encoding Date: Wed, 07 Oct 2015 18:19:59 GMT Content-Length: 886 <!doctype html> <html class="no-js"> <head> <meta charset="utf-8"> <base href="/console/"> <title>OpenShift Web Console</title> ... </html>