How to generate Oauth bearer token for Quay without using Quay UI

Solution In Progress - Updated -

Environment

  • Red Hat Quay

Issue

  • As part of automation, we would like to generate Oauth bearer token without having to use Quay UI.

Resolution

Please follow following steps inorder to generate Oauth bearer token without using Quay UI

  • As a first step, retrieve application client ID using following API endpoint or from Quay UI (Navigate to organization, click on application tab and select the application from the list and click on "Oauth information")
  GET /api/v1/organization/{orgname}/applications
  • Whitelist client ID for which you want to directly generate Oauth token by updating config.yaml file and redeploy Quay with updated config file.
    For example:
DIRECT_OAUTH_CLIENTID_WHITELIST: ['DGLHRZ7W7Q6BQR5UOPS7']
  • execute a POST call to https://quay.example.com/oauth/authorizeapp endpoint with payload consisting of client_id,scope(indicates level of permission) and redirect_uri in form encoded values and also specify username:password via Basic Auth header.The response headers will contain the link, which contains oauth access token.
    For example a sample payload looks as below:
#cat oauth.json
https://quay.example.com/oauth/authorize?response_type=token&client_id=DGLHRZ7W7Q6BQR5UOPS7&scope=org:admin%20repo:admin%20repo:create%20repo:read%20repo:write%20super:user%20user:admin%20user:read&redirect_uri=https:%2F%2Fquay.example.com%2Foauth%2Flocalapp

Sample request and response:

#curl -v -X POST -k -d @oauth.json -H "Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmRoZXJl" -H "Content-Type: application/x-www-form-urlencoded" https://quay.example.com/oauth/authorizeapp

> POST /oauth/authorizeapp HTTP/1.1
> User-Agent: curl/7.29.0
> Host: quay.example.com
> Accept: */*
> Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmRoZXJl
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 306
> 
} [data not shown]
* upload completely sent off: 306 out of 306 bytes
100   306    0     0  100   306      0     79  0:00:03  0:00:03 --:--:--    79< HTTP/1.1 302 FOUND
< Server: nginx/1.12.1
< Date: Thu, 01 Oct 2020 02:32:29 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Location: https://quay.example.com/oauth/localapp?scope=org%3Aadmin+repo%3Aadmin+repo%3Acreate+repo%3Aread+repo%3Awrite+super%3Auser+user%3Aadmin+user%3Aread#access_token=k6zAe7L7TYm7CdUVw3LZm58hLhFU2lKZtidOWA1n&token_type=Bearer&expires_in=315576000
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=63072000; preload
<

Note: Ensure to replace all references to quay.example.com with your Quay host name.

As you can see in above example response Oauth bearer token k6zAe7L7TYm7CdUVw3LZm58hLhFU2lKZtidOWA1n is returned in response header.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments