Authentication

Get Dex client credentials

get

Returns a map of Dex client IDs to their secrets. Use the value for key kubernetes as the client_secret in the next step.

Prerequisite: You must first obtain a Keystone token. See the Keystone Authentication page for details.

Header parameters

x-auth-tokenstringRequired

Keystone token obtained from /keystone/v3/auth/tokens.

Example: eyJhbGci...your-keystone-token

Responses

200

Map of client ID to client secret.

application/json

Map of Dex client ID to client secret. Each key is a client_id; the corresponding value is its client_secret.

Other propertiesstringOptional

401

Missing or invalid Keystone token.

application/json

get

/resmgr/v2/dexclients

GET /resmgr/v2/dexclients HTTP/1.1
Host: pcd-r1.example.com
x-auth-token: eyJhbGci...your-keystone-token
Accept: */*

{
  "kubernetes": "your-client-secret"
}

Get a Dex JWT (id_token)

post

Exchange your username/password and the Dex client_secret (from the previous step) for a short-lived Dex JWT.

The id_token in the response is the Bearer token required for all PCD-K Cluster API calls:

Authorization: Bearer <id_token>

A refresh_token is also returned. Use it with grant_type=refresh_token to renew your id_token without re-entering your password.

Body

grant_typestring · enumRequired

password for initial login; refresh_token to renew using a previously issued refresh token.

Example: passwordPossible values:

client_idstringRequired

Always kubernetes.

Example: kubernetes

client_secretstringRequired

The client_secret for the kubernetes client from /resmgr/v2/dexclients.

Example: your-client-secret

scopestringOptional

Space-separated OIDC scopes. Use openid offline_access groups email profile to receive a refresh token and group claims.

Example: openid offline_access groups email profile

usernamestringOptional

PCD-V / Keystone username (email). Required for password grant.

Example: [email protected]

passwordstringOptional

PCD-V / Keystone password. Required for password grant.

Example: your-password

connector_idstringOptional

Dex connector to authenticate against. Use default for the standard Keystone connector.

Example: default

refresh_tokenstringOptional

The refresh token from a previous response. Required for refresh_token grant.

Example: eyJhbGci...your-refresh-token

Responses

200

Token issued. Use id_token as the Authorization: Bearer value on Cluster API calls.

application/json

access_tokenstringOptional

OAuth 2.0 access token (not used directly by the Cluster API).

token_typestringOptional

type of token. eg. 'bearer'

id_tokenstringOptional

OIDC ID token (JWT). This is the value to pass as Authorization: Bearer <id_token> on all PCD-K Cluster API requests.

refresh_tokenstringOptional

Long-lived refresh token. Store securely and use with grant_type=refresh_token to renew the id_token without re-entering your password. Only returned when offline_access scope is requested.

expires_inintegerOptional

Lifetime of the id_token in seconds (typically 86399 — ~24 hours).

Example: 86399

400

Invalid request — wrong grant type, missing fields, or bad credentials.

application/json

401

Invalid client credentials (client_id / client_secret mismatch).

application/json

post

/dex/token

POST /dex/token HTTP/1.1
Host: pcd-r1.example.com
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 222

"grant_type='password'&client_id='kubernetes'&client_secret='your-client-secret'&scope='openid offline_access groups email profile'&username='[email protected]'&password='your-password'&connector_id='default'"

{
  "access_token": "eyJhbGci...your-jwt-token",
  "id_token": "eyJhbGci...your-jwt-token",
  "refresh_token": "eyJhbGci...your-refresh-token",
  "expires_in": 86399
}

PreviousOverview NextClusters

Last updated 11 days ago

Was this helpful?

hashtagGet Dex client credentials

hashtagGet a Dex JWT (id_token)

Get Dex client credentials

Get a Dex JWT (id_token)