1. Manuals
  2. Tumbleweed
  3. oc
  4. oc-get-token(1)

Scroll to navigation

OC(1) June 2016 OC(1)

NAME

oc get-token - Experimental: Get token from external OIDC issuer as credentials exec plugin

SYNOPSIS

oc get-token [OPTIONS]

DESCRIPTION

Experimental: This command is under development and may change without notice. Built-in Credential Exec plugin of the oc.

It supports Auth Code, Auth Code + PKCE in addition to refresh token. get-token caches the ID token and Refresh token after the auth code flow is successfully completed and once ID token expires, command tries to get the new token by using the refresh token flow. Although it is optional, command also supports getting client secret to behave as an confidential client.

OPTIONS

--auto-open-browser=false
Specify browser is automatically opened or not.

--callback-address="127.0.0.1:0"
Callback address where external OIDC issuer redirects to after flow is completed. Defaults to 127.0.0.1:0 to pick a random port.

--client-id=""
Client ID of the user managed by the external OIDC provider

--client-secret=""
Client Secret of the user managed by the external OIDC provider. Optional.

--extra-scopes=[]
Extra scopes for the auth request to the external OIDC provider. Optional.

--issuer-url=""
Issuer URL of the external OIDC provider

OPTIONS INHERITED FROM PARENT COMMANDS

--as=""
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

--as-group=[]
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

--as-uid=""
UID to impersonate for the operation.

--cache-dir="/home/abuild/.kube/cache"
Default cache directory

--certificate-authority=""
Path to a cert file for the certificate authority

--client-certificate=""
Path to a client certificate file for TLS

--client-key=""
Path to a client key file for TLS

--cluster=""
The name of the kubeconfig cluster to use

--context=""
The name of the kubeconfig context to use

--disable-compression=false
If true, opt-out of response compression for all requests to the server

--insecure-skip-tls-verify=false
If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

--kubeconfig=""
Path to the kubeconfig file to use for CLI requests.

--match-server-version=false
Require server version to match client version

-n, --namespace=""
If present, the namespace scope for this CLI request

--profile="none"
Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex)

--profile-output="profile.pprof"
Name of the file to write the profile to

--request-timeout="0"
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests.

-s, --server=""
The address and port of the Kubernetes API server

--tls-server-name=""
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

--token=""
Bearer token for authentication to the API server

--user=""
The name of the kubeconfig user to use

--warnings-as-errors=false
Treat warnings received from the server as errors and exit with a non-zero exit code

EXAMPLE



  # Starts an auth code flow to the issuer url with the client id and the given extra scopes


  oc get-token --client-id=client-id --issuer-url=test.issuer.url --extra-scopes=email,profile


  


  # Starts an authe code flow to the issuer url with a different callback address.


  oc get-token --client-id=client-id --issuer-url=test.issuer.url --callback-address=127.0.0.1:8343

SEE ALSO

oc(1),

HISTORY

June 2016, Ported from the Kubernetes man-doc generator

Openshift CLI User Manuals Openshift