OpenShift OAuth Authentication Sequence

From NovaOrdis Knowledge Base
Revision as of 18:40, 12 October 2017 by Ovidiu (talk | contribs) (Created page with "=Internal= * OpenShift Security Concepts =curl= curl -v -I --insecure "https://openshift-master1:84...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Internal

curl

curl -v -I --insecure "https://openshift-master1:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client" --user ovidiu:ovidiu123 -H "X-CSRF-Token: 1"



*   Trying 172.20.2.1...
* Connected to openshift-master1 (172.20.2.1) port 8443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate: openshift-master1
* Server certificate: openshift-signer@1442020517
* Server auth using Basic with user 'ovidiu'
> HEAD /oauth/authorize?response_type=token&client_id=openshift-challenging-client HTTP/1.1
> Host: openshift-master1:8443
> Authorization: Basic b3ZpZGl1Om92aWRpdTEyMw==
> User-Agent: curl/7.43.0
> Accept: */*
> X-CSRF-Token: 1
> 
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Location: https://openshift-master1:8443/oauth/token/display#access_token=A4wQqlpbYx9t2CyefgE_3DbMMlmFxaFEqwUspbslcdY&expires_in=86400&token_type=bearer
Location: https://openshift-master1:8443/oauth/token/display#access_token=A4wQqlpbYx9t2CyefgE_3DbMMlmFxaFEqwUspbslcdY&expires_in=86400&token_type=bearer
< Pragma: no-cache
Pragma: no-cache
< Set-Cookie:   ssn=MTQ0NDMyNDk3MXxQUURHYnB1WUEwWEZyRGxhTkwzSTRZU2tjem5Ud1QtY2NIN3ZxWnN2ZW5JYWpVUXJieUc1WEZmV1RaWFlFeHJqTDZFNVRUM3NhTlBfeGdlME9WanVhWUJRdXE1NzhQdlY2dFUtaVVyTGI4U3VOS244WllJRHhEQXYtQ2hLbnJreWF3PT188Enelep1w-0d9B_KTB4FR6ej9XI55T09Aplt3SAoa2Y=; Path=/; Expires=Thu, 08 Oct 2015 18:22:51 UTC; Max-Age=3600; HttpOnly; Secure
Set-Cookie:  ssn=MTQ0NDMyNDk3MXxQUURHYnB1WUEwWEZyRGxhTkwzSTRZU2tjem5Ud1QtY2NIN3ZxWnN2ZW5JYWpVUXJieUc1WEZmV1RaWFlFeHJqTDZFNVRUM3NhTlBfeGdlME9WanVhWUJRdXE1NzhQdlY2dFUtaVVyTGI4U3VOS244WllJRHhEQXYtQ2hLbnJreWF3PT188Enelep1w-0d9B_KTB4FR6ej9XI55T09Aplt3SAoa2Y=; Path=/; Expires=Thu, 08 Oct 2015 18:22:51 UTC; Max-Age=3600; HttpOnly; Secure
< Date: Thu, 08 Oct 2015 17:22:51 GMT
Date: Thu, 08 Oct 2015 17:22:51 GMT
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

<

  • Connection #0 to host openshift-master1 left intact

}}}


!!!Sequence of Calls with oc

These are not actually individual curl commands, they're are reported by oc as it talks with the OpenShift server:

Starts with an unauthenticated call:

{{{ I1007 11:55:41.037136 2176 debugging.go:101] curl -k -v -XGET -H "User-Agent: oc/v3.0.1.0 (linux/amd64) openshift/e51f583" https://openshift-master1:8443/oapi/v1/users/~ I1007 11:55:41.050006 2176 debugging.go:120] GET https://openshift-master1:8443/oapi/v1/users/~ 403 Forbidden in 12 milliseconds I1007 11:55:41.050023 2176 debugging.go:126] Response Headers: I1007 11:55:41.050027 2176 debugging.go:129] Cache-Control: no-store I1007 11:55:41.050030 2176 debugging.go:129] Content-Type: application/json I1007 11:55:41.050034 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:55:41 GMT I1007 11:55:41.050037 2176 debugging.go:129] Content-Length: 262 I1007 11:55:41.050052 2176 request.go:777] Response Body: { 

 "kind": "Status",
 "apiVersion": "v1",
 "metadata": {},
 "status": "Failure",
 "message": "User \"system:anonymous\" cannot get users at the cluster scope",
 "reason": "Forbidden",
 "details": {
   "name": "~",
   "kind": "users"
 },
 "code": 403

} }}}

Call just got rejected with 403, so oc sends an authentication request:

{{{ I1007 11:55:41.050293 2176 debugging.go:101] curl -k -v -XGET -H "X-Csrf-Token: 1" https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token I1007 11:55:41.063290 2176 debugging.go:120] GET https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token 401 Unauthorized in 12 milliseconds I1007 11:55:41.063305 2176 debugging.go:126] Response Headers: I1007 11:55:41.063309 2176 debugging.go:129] Www-Authenticate: Basic realm="openshift" I1007 11:55:41.063313 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:55:41 GMT I1007 11:55:41.063316 2176 debugging.go:129] Content-Length: 0 I1007 11:55:41.063320 2176 debugging.go:129] Content-Type: text/plain; charset=utf-8 }}}

The server says that Basic authentication is required so the oc challenges the user for password:

{{{ Authentication required for https://openshift-master1:8443 (openshift) Password: }}}

Then it sends the token request:

{{{ I1007 11:56:18.548557 2176 debugging.go:101] curl -k -v -XGET -H "X-Csrf-Token: 1" -H "Authorization: Basic b3ZpZGl1Om92aWRpdTEyMw==" https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token I1007 11:56:18.553456 2176 debugging.go:120] GET https://openshift-master1:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token 302 Found in 4 milliseconds I1007 11:56:18.553469 2176 debugging.go:126] Response Headers: I1007 11:56:18.553473 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:56:18 GMT I1007 11:56:18.553477 2176 debugging.go:129] Content-Length: 0 I1007 11:56:18.553481 2176 debugging.go:129] Content-Type: text/plain; charset=utf-8 I1007 11:56:18.553484 2176 debugging.go:129] Cache-Control: no-cache, no-store, max-age=0, must-revalidate I1007 11:56:18.553488 2176 debugging.go:129] Expires: Fri, 01 Jan 1990 00:00:00 GMT I1007 11:56:18.553491 2176 debugging.go:129] Location: https://openshift-master1:8443/oauth/token/display#access_token=Wvgp_89KM-OsOjfQb-wISSfxPFRJdfckAoFMBOrk7Qo&expires_in=86400&token_type=bearer I1007 11:56:18.553495 2176 debugging.go:129] Pragma: no-cache I1007 11:56:18.553499 2176 debugging.go:129] Set-Cookie: ssn=MTQ0NDI0NDE3OHxYNDZISlNJWjltZm9yZWNnYXFFQ1hnc1JoZFhKaGRhQllSQzFKeXQtZXNXdGFXX0FLSVFnRDNKRTVtdElmNHBsWnN3T3pOcGR4NnNoSkpuN0dydl9ZcW5Bb1RmYkFsVERBVU1FRllKWVB3VVFiT2x6MG1wS0RXQ3F3cHA3RUtROXVRPT18TMngt7y32mFpZduFDaifFFuGudq2FhmpJodDui9nQ68=; Path=/; Expires=Wed, 07 Oct 2015 19:56:18 UTC; Max-Age=3600; HttpOnly; Secure }}}


OAuth-authenticated call:

{{{ I1007 11:56:18.555716 2176 debugging.go:101] curl -k -v -XGET -H "User-Agent: oc/v3.0.1.0 (linux/amd64) openshift/e51f583" -H "Authorization: Bearer Wvgp_89KM-OsOjfQb-wISSfxPFRJdfckAoFMBOrk7Qo" https://openshift-master1:8443/oapi/v1/users/~ I1007 11:56:18.569062 2176 debugging.go:120] GET https://openshift-master1:8443/oapi/v1/users/~ 200 OK in 13 milliseconds I1007 11:56:18.569077 2176 debugging.go:126] Response Headers: I1007 11:56:18.569081 2176 debugging.go:129] Content-Type: application/json I1007 11:56:18.569084 2176 debugging.go:129] Date: Wed, 07 Oct 2015 18:56:18 GMT I1007 11:56:18.569087 2176 debugging.go:129] Content-Length: 259 I1007 11:56:18.569091 2176 debugging.go:129] Cache-Control: no-store I1007 11:56:18.569103 2176 request.go:777] Response Body: {"kind":"User","apiVersion":"v1","metadata":{"name":"ovidiu","selfLink":"/oapi/v1/users/ovidiu","uid":"47d29b8e-6874-11e5-98d6-08002733d9bd","resourceVersion":"175262","creationTimestamp":"2015-10-01T19:40:33Z"},"identities":["htpasswd:ovidiu"],"groups":null} Login successful. }}}

!!!Sequence of Calls after Submitting the Web Login Form from Browser

Initial POST that contains the credentials:

{{{ POST /login HTTP/1.1 Host: openshift-master1:8443 Connection: keep-alive Content-Length: 264 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: https://openshift-master1:8443 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: https://openshift-master1:8443/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd

then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth&csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd&username=ovidiu&password=ovidiu123 }}}

Response, redirect to /oauth/authorize:

{{{ HTTP/1.1 302 Found Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, X-Requested-With, If-Modified-Since Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: https://openshift-master1:8443 Location: /oauth/authorize?client_id=openshift-web-console&response_type=token&state=%2F&redirect_uri=https%3A%2F%2Fopenshift-master1%3A8443%2Fconsole%2Foauth Set-Cookie: ssn=MTQ0NDI0MTk5OXxkREVTUFBVT0dpbnpyc1d5UFlEWU5nVmVPVElsNTYweTA1NDRGb0JBMFVwc0NuMVh3akJlcFZUelJSZWhkLTh3c3VBWmxtdTNPWG9LX1B6VDlmRmtvMHlpalZacTFNS2tCT2lnaWdCSWp3dWItX0twTGpzZjF0MFFCLXM0aUZIbTUyZ3h1SVNBZHhzR3JlUlhzTE5wWXJXVUtTQmFRRkVCZnpESUVqckxHa1B5bU1aeWVvSllvZ2gwWnc9PXwt8MACDlKKjlaJSYQf6eEpH4k3G13YWKTWiAbik50F1A==; Path=/; Expires=Wed, 07 Oct 2015 19:19:59 UTC; Max-Age=3600; HttpOnly; Secure Date: Wed, 07 Oct 2015 18:19:59 GMT Content-Length: 0 Content-Type: text/plain; charset=utf-8 }}}

GET that actually requests the OAuth Token:

{{{ GET /oauth/authorize?client_id=openshift-web-console&response_type=token&state=%2F&redirect_uri=https%3A%2F%2Fopenshift-master1%3A8443%2Fconsole%2Foauth HTTP/1.1 Host: openshift-master1:8443 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Referer: https://openshift-master1:8443/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd; ssn=MTQ0NDI0MTk5OXxkREVTUFBVT0dpbnpyc1d5UFlEWU5nVmVPVElsNTYweTA1NDRGb0JBMFVwc0NuMVh3akJlcFZUelJSZWhkLTh3c3VBWmxtdTNPWG9LX1B6VDlmRmtvMHlpalZacTFNS2tCT2lnaWdCSWp3dWItX0twTGpzZjF0MFFCLXM0aUZIbTUyZ3h1SVNBZHhzR3JlUlhzTE5wWXJXVUtTQmFRRkVCZnpESUVqckxHa1B5bU1aeWVvSllvZ2gwWnc9PXwt8MACDlKKjlaJSYQf6eEpH4k3G13YWKTWiAbik50F1A== }}}

Response that contains the OAuth Token (9JZZJ8A_rEJOWeOWrG-QpvvyWW_0gX1u_0wckh3_nt0):

{{{ HTTP/1.1 302 Found Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Fri, 01 Jan 1990 00:00:00 GMT Location: https://openshift-master1:8443/console/oauth#access_token=9JZZJ8A_rEJOWeOWrG-QpvvyWW_0gX1u_0wckh3_nt0&expires_in=86400&state=/&token_type=bearer Pragma: no-cache Set-Cookie: ssn=MTQ0NDI0MTk5OXxfQlRJNi1KYi1TOXVfQnJBQ3pKcGEwNVpVU3ZOTTRGZmpZc0R2WVk5WTNMMGhZa0paLVA0REdUWko0OTUwbE1uM2xJM2ptbHhVVWdsblpDVzdfc0RXN3R5S3AweGQ5MC05UG4tdkJEVXJmYlNSS2lZdzN5b1RhU2pFQXVzQ0dpNW5BPT18KpNW4i1JJEXIWBK0zBHG00cttMZxoBB0SDKJFIyuYpY=; Path=/; Expires=Wed, 07 Oct 2015 19:19:59 UTC; Max-Age=3600; HttpOnly; Secure Date: Wed, 07 Oct 2015 18:19:59 GMT Content-Length: 0 Content-Type: text/plain; charset=utf-8 }}}

GET redirect to content :



{{{ GET /console/oauth HTTP/1.1 Host: openshift-master1:8443 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Referer: https://openshift-master1:8443/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dtoken%26state%3D%252F%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master1%253A8443%252Fconsole%252Foauth Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: csrf=ee01b0d3-6d1f-11e5-bd04-08002733d9bd; ssn=MTQ0NDI0MTk5OXxfQlRJNi1KYi1TOXVfQnJBQ3pKcGEwNVpVU3ZOTTRGZmpZc0R2WVk5WTNMMGhZa0paLVA0REdUWko0OTUwbE1uM2xJM2ptbHhVVWdsblpDVzdfc0RXN3R5S3AweGQ5MC05UG4tdkJEVXJmYlNSS2lZdzN5b1RhU2pFQXVzQ0dpNW5BPT18KpNW4i1JJEXIWBK0zBHG00cttMZxoBB0SDKJFIyuYpY= }}}

Response - Authenticated access to Console:

{{{ Cache-Control: public, max-age=0, must-revalidate Content-Encoding: gzip Content-Type: text/html; charset=utf-8 Etag: W/"e51f583_677a6970" Vary: Accept-Encoding Date: Wed, 07 Oct 2015 18:19:59 GMT Content-Length: 886

<!doctype html> <html class="no-js"> <head> <meta charset="utf-8"> <base href="/console/"> <title>OpenShift Web Console</title> ... </html> }}}

Retrieved from "https://kb.novaordis.com/index.php?title=OpenShift_OAuth_Authentication_Sequence&oldid=29237"