origin: Requesting a token returns a redirect containing the access token

I’m trying to request a token for API access using curl. The auth succeeds, I can see the token returned embedded in the Location header, but (a) it’s not easy to pick out, and (b) if I follow the Location Header, the next page is a 500. Could that subsequent page instead nicely return me my token in JSON format or equivalent?

Caveat: I assume that what I’m trying to do is legitimate?

[demo@openshift ~]$ curl -L -D - -u username:password -H 'X-CSRF-Token: 1' 'https://openshift.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client'
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Location: https://openshift.example.com:8443/oauth/token/display#access_token=gO7z6AVvD67q4SGm-ZevazYPLvLCeZGIqNLGSP_ju_s&expires_in=86400&token_type=bearer
Pragma: no-cache
Set-Cookie: ssn=MTQzODE3ODAzNXxpcGZwZF90Y1BkNzhOOE5OZzFfRjdFcGV0WklSZi1xUFlhTzI0OUNESnRydHJianl5dzR4VmdVN0Jvckxjb2lrOExNSnRVMVV6WG00UnI2QmM5NGxoUkpwODdoSnI4OGc4WWpXZUpaTXZrT1NvWUxoZXNzem1MNGZwTDZGYzFWcG9RPT18Ffz2NhsJ9dOT-MUdW9md4n8NDYnmOGU3VJ3TNbjxiiI=; Path=/; Expires=Wed, 29 Jul 2015 14:53:55 UTC; Max-Age=3600; HttpOnly; Secure
Date: Wed, 29 Jul 2015 13:53:55 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Date: Wed, 29 Jul 2015 13:53:55 GMT
Content-Length: 386


<style>
    body    { font-family: sans-serif; font-size: 12pt; margin: 2em 5%; background-color: #F9F9F9; }
    pre     { padding-left: 1em; border-left: .25em solid #eee; }
    a       { color: #00f; text-decoration: none; }
    a:hover { text-decoration: underline; }
</style>


  Error handling auth request: Requested parameter not sent


<br><br>
<a href="request">Request another token</a>
[demo@openshift ~]$

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 18 (12 by maintainers)

Most upvoted comments

By passing the response_type=token parameter, you are requesting an “Implicit Grant” OAuth flow (https://tools.ietf.org/html/rfc6749#section-4.2). This dictates that the access token be returned in the fragment portion of a redirect header.

If you request a token this way, you are expected to extract the token from the redirect header fragment yourself. If you follow the redirect, the access token in the fragment is not sent to the server, so it has no way to echo it back to you.

This will extract the token for you from the response header:

curl -L -D - -u username:password -H 'X-CSRF-Token: 1' 'https://openshift.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client' 2>&1 | grep -oP "access_token=\K[^&]*"
+2
liggitt on Jul 30, 2015
Read more comments on GitHub
← origin: PUT request that modifies route certificate fails
origin: Route's new admission routes/custom-host doesn't work for legacy API →