openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
5c096bee21e46abde4a86fb6d7934c667560b310
openshift-docs/modules/oauth-server-metadata.adoc
Vikram Goyal 6bfa34803e changed -{context} to _{context}
2019-05-13 13:57:48 +10:00

73 lines
3.1 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * authentication/configuring-internal-oauth.adoc
[id="oauth-server-metadata_{context}"]
= OAuth server metadata
Applications running in {product-title} might have to discover information
about the built-in OAuth server. For example, they might have to discover
what the address of the `<namespace_route>` is without manual
configuration. To aid in this, {product-title} implements the IETF
link:https://tools.ietf.org/html/draft-ietf-oauth-discovery-10[OAuth 2.0 Authorization Server Metadata] draft specification.
Thus, any application running inside the cluster can issue a `GET` request
to *_\https://openshift.default.svc/.well-known/oauth-authorization-server_*
to fetch the following information:
----
{
"issuer": "https://<namespace_route>", <1>
"authorization_endpoint": "https://<namespace_route>/oauth/authorize", <2>
"token_endpoint": "https://<namespace_route>/oauth/token", <3>
"scopes_supported": [ <4>
"user:full",
"user:info",
"user:check-access",
"user:list-scoped-projects",
"user:list-projects"
],
"response_types_supported": [ <5>
"code",
"token"
],
"grant_types_supported": [ <6>
"authorization_code",
"implicit"
],
"code_challenge_methods_supported": [ <7>
"plain",
"S256"
]
}
----
<1> The authorization server's issuer identifier, which is a URL that uses the
`https` scheme and has no query or fragment components. This is the location
where `.well-known` link:https://tools.ietf.org/html/rfc5785[RFC 5785] resources
containing information about the authorization server are published.
<2> URL of the authorization server's authorization endpoint. See
link:https://tools.ietf.org/html/rfc6749[RFC 6749].
<3> URL of the authorization server's token endpoint. See
link:https://tools.ietf.org/html/rfc6749[RFC 6749].
<4> JSON array containing a list of the OAuth 2.0
link:https://tools.ietf.org/html/rfc6749[RFC 6749] scope values that this
authorization server supports. Note that not all supported scope values are
advertised.
<5> JSON array containing a list of the OAuth 2.0 `response_type` values that this
authorization server supports. The array values used are the same as those used
with the `response_types` parameter defined by "OAuth 2.0 Dynamic Client
Registration Protocol" in link:https://tools.ietf.org/html/rfc7591[RFC 7591].
<6> JSON array containing a list of the OAuth 2.0 grant type values that this
authorization server supports. The array values used are the same as those used
with the `grant_types` parameter defined by
`OAuth 2.0 Dynamic Client Registration Protocol` in
link:https://tools.ietf.org/html/rfc7591[RFC 7591].
<7> JSON array containing a list of PKCE
link:https://tools.ietf.org/html/rfc7636[RFC 7636] code challenge methods
supported by this authorization server. Code challenge method values are used in
the `code_challenge_method` parameter defined in
link:https://tools.ietf.org/html/rfc7636#section-4.3[Section 4.3 of RFC 7636].
The valid code challenge method values are those registered in the IANA
`PKCE Code Challenge Methods` registry. See
link:http://www.iana.org/assignments/oauth-parameters[IANA OAuth Parameters].
View Git Blame Copy Permalink