diff --git a/_topic_map.yml b/_topic_map.yml index 3f03f264c8..68506a5a56 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -572,6 +572,8 @@ Topics: File: configuring-internal-oauth - Name: Configuring OAuth clients File: configuring-oauth-clients +- Name: Managing user-owned OAuth access tokens + File: managing-oauth-access-tokens Distros: openshift-enterprise,openshift-webscale,openshift-origin - Name: Understanding identity provider configuration File: understanding-identity-provider diff --git a/authentication/managing-oauth-access-tokens.adoc b/authentication/managing-oauth-access-tokens.adoc new file mode 100644 index 0000000000..fcdc834872 --- /dev/null +++ b/authentication/managing-oauth-access-tokens.adoc @@ -0,0 +1,17 @@ +[id="managing-oauth-access-tokens"] += Managing user-owned OAuth access tokens +include::modules/common-attributes.adoc[] +:context: managing-oauth-access-tokens + +toc::[] + +Users can review their own OAuth access tokens and delete any that are no longer needed. + +// Listing user-owned OAuth access tokens +include::modules/oauth-list-tokens.adoc[leveloffset=+1] + +// Viewing the details of a user-owned OAuth access token +include::modules/oauth-view-details-tokens.adoc[leveloffset=+1] + +// Deleting user-owned OAuth access tokens +include::modules/oauth-delete-tokens.adoc[leveloffset=+1] diff --git a/modules/oauth-delete-tokens.adoc b/modules/oauth-delete-tokens.adoc new file mode 100644 index 0000000000..89e9c4ca57 --- /dev/null +++ b/modules/oauth-delete-tokens.adoc @@ -0,0 +1,25 @@ +// Module included in the following assemblies: +// +// * authentication/managing-oauth-access-tokens.adoc + +[id="oauth-delete-tokens_{context}"] += Deleting user-owned OAuth access tokens + +The `oc logout` command only invalidates the OAuth token for the active session. You can use the following procedure to delete any user-owned OAuth tokens that are no longer needed. + +Deleting an OAuth access token logs out the user from all sessions that use the token. + +.Procedure + +* Delete the user-owned OAuth access token: ++ +[source,terminal] +---- +$ oc delete useroauthaccesstokens +---- ++ +.Example output +[source,terminal] +---- +useroauthaccesstoken.oauth.openshift.io "" deleted +---- diff --git a/modules/oauth-list-tokens.adoc b/modules/oauth-list-tokens.adoc new file mode 100644 index 0000000000..1248fac5f5 --- /dev/null +++ b/modules/oauth-list-tokens.adoc @@ -0,0 +1,40 @@ +// Module included in the following assemblies: +// +// * authentication/managing-oauth-access-tokens.adoc + +[id="oauth-list-tokens_{context}"] += Listing user-owned OAuth access tokens + +You can list your user-owned OAuth access tokens. Token names are not sensitive and cannot be used to log in. + +.Procedure + +* List all user-owned OAuth access tokens: ++ +[source,terminal] +---- +$ oc get useroauthaccesstokens +---- ++ +.Example output +[source,terminal] +---- +NAME CLIENT NAME CREATED EXPIRES REDIRECT URI SCOPES + openshift-challenging-client 2021-01-11T19:25:35Z 2021-01-12 19:25:35 +0000 UTC https://oauth-openshift.apps.example.com/oauth/token/implicit user:full + openshift-browser-client 2021-01-11T19:27:06Z 2021-01-12 19:27:06 +0000 UTC https://oauth-openshift.apps.example.com/oauth/token/display user:full + console 2021-01-11T19:26:29Z 2021-01-12 19:26:29 +0000 UTC https://console-openshift-console.apps.example.com/auth/callback user:full +---- + +* List user-owned OAuth access tokens for a particular OAuth client: ++ +[source,terminal] +---- +$ oc get useroauthaccesstokens --field-selector=clientName="console" +---- ++ +.Example output +[source,terminal] +---- +NAME CLIENT NAME CREATED EXPIRES REDIRECT URI SCOPES + console 2021-01-11T19:26:29Z 2021-01-12 19:26:29 +0000 UTC https://console-openshift-console.apps.example.com/auth/callback user:full +---- diff --git a/modules/oauth-view-details-tokens.adoc b/modules/oauth-view-details-tokens.adoc new file mode 100644 index 0000000000..551d7b355f --- /dev/null +++ b/modules/oauth-view-details-tokens.adoc @@ -0,0 +1,63 @@ +// Module included in the following assemblies: +// +// * authentication/managing-oauth-access-tokens.adoc + +[id="oauth-view-details-tokens_{context}"] += Viewing the details of a user-owned OAuth access token + +You can view the details of a user-owned OAuth access token. + +.Procedure + +* Describe the details of a user-owned OAuth access token: ++ +[source,terminal] +---- +$ oc describe useroauthaccesstokens +---- ++ +.Example output +[source,terminal] +---- +Name: <1> +Namespace: +Labels: +Annotations: +API Version: oauth.openshift.io/v1 +Authorize Token: sha256~Ksckkug-9Fg_RWn_AUysPoIg-_HqmFI9zUL_CgD8wr8 +Client Name: openshift-browser-client <2> +Expires In: 86400 <3> +Inactivity Timeout Seconds: 317 <4> +Kind: UserOAuthAccessToken +Metadata: + Creation Timestamp: 2021-01-11T19:27:06Z + Managed Fields: + API Version: oauth.openshift.io/v1 + Fields Type: FieldsV1 + fieldsV1: + f:authorizeToken: + f:clientName: + f:expiresIn: + f:redirectURI: + f:scopes: + f:userName: + f:userUID: + Manager: oauth-server + Operation: Update + Time: 2021-01-11T19:27:06Z + Resource Version: 30535 + Self Link: /apis/oauth.openshift.io/v1/useroauthaccesstokens/ + UID: f9d00b67-ab65-489b-8080-e427fa3c6181 +Redirect URI: https://oauth-openshift.apps.example.com/oauth/token/display +Scopes: + user:full <5> +User Name: <6> +User UID: 82356ab0-95f9-4fb3-9bc0-10f1d6a6a345 +Events: +---- +<1> The token name, which is the sha256 hash of the token. Token names are not sensitive and cannot be used to log in. +<2> The client name, which describes where the token originated from. +<3> The value in seconds from the creation time before this token expires. +<4> If there is a token inactivity timeout set for the OAuth server, this is the value in seconds from the creation time before this token can no longer be used. +<5> The scopes for this token. +<6> The user name associated with this token.