oc
plugin and a web application to login from the console using the web browser.
Logging into OpenShift using an external IDP that requires human interaction (Eg with MFA) makes the oc login
procedure a bit tricky:
You have to login into the web console and then retrieve the access token, requiring another login.
This project is a PoC consisting of:
- an application, running on OpenShift, which is registered as an OAuth client
- an
oc
plugin implementing theoc wlogin
command
- When the user executes the
oc wlogin
command a request to the/login/
URL is performed, the application returns the Authorization URL together with the randomly generated state code. - The
oc-wlogin
plugin asks the user to open the Authorization URL in order to authenticate, in the meantime starts polling the/token/$state_code
- Once the user logs into OpenShift using the browser gets redirected to the app
/callback/
URL, sending the authorization code to the application - The
/callback
endpoint of the application exchanges the authorization code for access token - When the token is retrieved it is exposed on the
/token/$state_code
URL - The
oc-wlogin
plugin can download the token, after the download is removed from the app memory - The
oc-wlogin
plugin performsoc login --token $token
OC_WLOGIN_CLIENT_ID
the OAuth client IDOC_WLOGIN_CLIENT_SECRET
the OAuth client SecretOC_WLOGIN_AUTH_URL
the OAuth server Authorize URLOC_WLOGIN_TOKEN_URL
the OAuth server Token URLOC_WLOGIN_TLS_CERT
path to the TLS certificate used by the AppOC_WLOGIN_TLS_KEY
path to the TLS certificate key used by the AppOC_WLOGIN_CA_BUNDLE
the CA bunle to trusting the OAuth authorize and token URLsOC_WLOGIN_SESSIONS_DIR
path where the web sessions should be savedOAUTHLIB_INSECURE_TRANSPORT
if set do not verify the certificate of the OAuth authorize and token URLs
- Clone this git repo
- Configure the helm templates with proper
Values
- Install the helm chart
helm install oc-wlogin helm/oc-wlogin/ --namespace oc-wlogin --create-namespace
(first configure thevalues.yaml
- Download the
oc-wlogin
plugin from https://raw.githubusercontent.com/pbertera/oc-wlogin/main/oc-plugin/oc-wlogin , save it into thePATH
and make it executable
Now you should have an oc-wlogin
route created into the oc-wlogin
namespace, you can test the app with the browser connecting to the route /login/
URL.
The oc-wlogin
plugin adds a new wlogin
OpenShift CLI command:
$ oc wlogin --help
USAGE: /var/home/pietro/bin/oc-wlogin [options] <API_URL>
Available Options:
-t, --token-issuer='': Token Issuer application URL (required if TOKEN_ISSUER is not defined)
-t, --idp='': The identity provider to be used (optional)
-c, --curl-opts='': curl(1) options to use when invoking the executable, default is '-s'
-p, --poll-time='': Defines the maximum token poll time in seconds (default 30)