// getServiceAccountTokens returns all ServiceAccountToken secrets for the given ServiceAccount
func (a *saOAuthClientAdapter) getServiceAccountTokens(sa *kapi.ServiceAccount) ([]string, error) {
allSecrets, err := a.secretClient.Secrets(sa.Namespace).List(kapi.ListOptions{})
if err != nil {
return nil, err
}
tokens := []string{}
for i := range allSecrets.Items {
secret := allSecrets.Items[i]
if serviceaccount.IsServiceAccountToken(&secret, sa) {
tokens = append(tokens, string(secret.Data[kapi.ServiceAccountTokenKey]))
}
}
return tokens, nil
}
// getServiceAccount returns the ServiceAccount referenced by the given secret. If the secret is not
// of type ServiceAccountToken, or if the referenced ServiceAccount does not exist, nil is returned
func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMiss bool) (*api.ServiceAccount, error) {
name, _ := serviceAccountNameAndUID(secret)
if len(name) == 0 {
return nil, nil
}
key := &api.ServiceAccount{ObjectMeta: api.ObjectMeta{Namespace: secret.Namespace}}
namespaceAccounts, err := e.serviceAccounts.Index("namespace", key)
if err != nil {
return nil, err
}
for _, obj := range namespaceAccounts {
serviceAccount := obj.(*api.ServiceAccount)
if serviceaccount.IsServiceAccountToken(secret, serviceAccount) {
return serviceAccount, nil
}
}
if fetchOnCacheMiss {
serviceAccount, err := e.client.ServiceAccounts(secret.Namespace).Get(name)
if apierrors.IsNotFound(err) {
return nil, nil
}
if err != nil {
return nil, err
}
if serviceaccount.IsServiceAccountToken(secret, serviceAccount) {
return serviceAccount, nil
}
}
return nil, nil
}
// listTokenSecrets returns a list of all of the ServiceAccountToken secrets that
// reference the given service account's name and uid
func (e *TokensController) listTokenSecrets(serviceAccount *api.ServiceAccount) ([]*api.Secret, error) {
namespaceSecrets, err := e.secrets.ByIndex("namespace", serviceAccount.Namespace)
if err != nil {
return nil, err
}
items := []*api.Secret{}
for _, obj := range namespaceSecrets {
secret := obj.(*api.Secret)
if serviceaccount.IsServiceAccountToken(secret, serviceAccount) {
items = append(items, secret)
}
}
return items, nil
}
// getServiceAccountTokens returns all ServiceAccountToken secrets for the given ServiceAccount
func (s *serviceAccount) getServiceAccountTokens(serviceAccount *api.ServiceAccount) ([]*api.Secret, error) {
key := &api.Secret{ObjectMeta: api.ObjectMeta{Namespace: serviceAccount.Namespace}}
index, err := s.secrets.Index("namespace", key)
if err != nil {
return nil, err
}
tokens := []*api.Secret{}
for _, obj := range index {
token := obj.(*api.Secret)
if serviceaccount.IsServiceAccountToken(token, serviceAccount) {
tokens = append(tokens, token)
}
}
return tokens, nil
}
// config returns a complete clientConfig for constructing clients. This is separate in anticipation of composition
// which means that not all clientsets are known here
func (b SAControllerClientBuilder) Config(name string) (*restclient.Config, error) {
clientConfig := restclient.AnonymousClientConfig(b.ClientConfig)
// we need the SA UID to find a matching SA token
sa, err := b.CoreClient.ServiceAccounts(b.Namespace).Get(name, metav1.GetOptions{})
if err != nil && !apierrors.IsNotFound(err) {
return nil, err
} else if apierrors.IsNotFound(err) {
// check to see if the namespace exists. If it isn't a NotFound, just try to create the SA.
// It'll probably fail, but perhaps that will have a better message.
if _, err := b.CoreClient.Namespaces().Get(b.Namespace, metav1.GetOptions{}); apierrors.IsNotFound(err) {
_, err = b.CoreClient.Namespaces().Create(&v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: b.Namespace}})
if err != nil && !apierrors.IsAlreadyExists(err) {
return nil, err
}
}
sa, err = b.CoreClient.ServiceAccounts(b.Namespace).Create(
&v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: b.Namespace, Name: name}})
if err != nil {
return nil, err
}
}
lw := &cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
options.FieldSelector = fields.SelectorFromSet(map[string]string{api.SecretTypeField: string(v1.SecretTypeServiceAccountToken)}).String()
return b.CoreClient.Secrets(b.Namespace).List(options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
options.FieldSelector = fields.SelectorFromSet(map[string]string{api.SecretTypeField: string(v1.SecretTypeServiceAccountToken)}).String()
return b.CoreClient.Secrets(b.Namespace).Watch(options)
},
}
_, err = cache.ListWatchUntil(30*time.Second, lw,
func(event watch.Event) (bool, error) {
switch event.Type {
case watch.Deleted:
return false, nil
case watch.Error:
return false, fmt.Errorf("error watching")
case watch.Added, watch.Modified:
secret := event.Object.(*v1.Secret)
if !serviceaccount.IsServiceAccountToken(secret, sa) ||
len(secret.Data[v1.ServiceAccountTokenKey]) == 0 {
return false, nil
}
// TODO maybe verify the token is valid
clientConfig.BearerToken = string(secret.Data[v1.ServiceAccountTokenKey])
restclient.AddUserAgent(clientConfig, apiserverserviceaccount.MakeUsername(b.Namespace, name))
return true, nil
default:
return false, fmt.Errorf("unexpected event type: %v", event.Type)
}
})
if err != nil {
return nil, fmt.Errorf("unable to get token for service account: %v", err)
}
return clientConfig, nil
}
func TestSAAsOAuthClient(t *testing.T) {
testutil.RequireEtcd(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
authorizationCodes := make(chan string, 1)
authorizationErrors := make(chan string, 1)
oauthServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
t.Logf("fake pod server got %v", req.URL)
if code := req.URL.Query().Get("code"); len(code) > 0 {
authorizationCodes <- code
}
if err := req.URL.Query().Get("error"); len(err) > 0 {
authorizationErrors <- err
}
}))
defer oauthServer.Close()
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectName := "hammer-project"
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, "harold"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testserver.WaitForServiceAccounts(clusterAdminKubeClient, projectName, []string{"default"}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// get the SA ready with redirect URIs and secret annotations
var defaultSA *kapi.ServiceAccount
// retry this a couple times. We seem to be flaking on update conflicts and missing secrets all together
err = kclient.RetryOnConflict(kclient.DefaultRetry, func() error {
defaultSA, err = clusterAdminKubeClient.ServiceAccounts(projectName).Get("default")
if err != nil {
return err
}
if defaultSA.Annotations == nil {
defaultSA.Annotations = map[string]string{}
}
defaultSA.Annotations[saoauth.OAuthRedirectURISecretAnnotationPrefix+"one"] = oauthServer.URL
defaultSA.Annotations[saoauth.OAuthWantChallengesAnnotationPrefix] = "true"
defaultSA, err = clusterAdminKubeClient.ServiceAccounts(projectName).Update(defaultSA)
return err
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
var oauthSecret *kapi.Secret
// retry this a couple times. We seem to be flaking on update conflicts and missing secrets all together
err = wait.PollImmediate(30*time.Millisecond, 10*time.Second, func() (done bool, err error) {
allSecrets, err := clusterAdminKubeClient.Secrets(projectName).List(kapi.ListOptions{})
if err != nil {
return false, err
}
for i := range allSecrets.Items {
secret := allSecrets.Items[i]
if serviceaccount.IsServiceAccountToken(&secret, defaultSA) {
oauthSecret = &secret
return true, nil
}
}
return false, nil
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
oauthClientConfig := &osincli.ClientConfig{
ClientId: serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),
ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: oauthServer.URL,
Scope: scope.Join([]string{"user:info", "role:edit:" + projectName}),
SendClientSecretInParams: true,
}
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, true)
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
oauthClientConfig = &osincli.ClientConfig{
ClientId: serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),
ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: oauthServer.URL,
Scope: scope.Join([]string{"user:info", "role:edit:other-ns"}),
SendClientSecretInParams: true,
}
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, false, false)
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
oauthClientConfig = &osincli.ClientConfig{
ClientId: serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),
ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: oauthServer.URL,
Scope: scope.Join([]string{"user:info"}),
SendClientSecretInParams: true,
}
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, authorizationCodes, authorizationErrors, true, false)
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
}
func TestSAAsOAuthClient(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
authorizationCodes := make(chan string, 1)
authorizationErrors := make(chan string, 1)
oauthServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
t.Logf("fake pod server got %v", req.URL)
if code := req.URL.Query().Get("code"); len(code) > 0 {
authorizationCodes <- code
}
if err := req.URL.Query().Get("error"); len(err) > 0 {
authorizationErrors <- err
}
}))
defer oauthServer.Close()
redirectURL := oauthServer.URL + "/oauthcallback"
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectName := "hammer-project"
if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, "harold"); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testserver.WaitForServiceAccounts(clusterAdminKubeClient, projectName, []string{"default"}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
promptingClient, err := clusterAdminClient.OAuthClients().Create(&oauthapi.OAuthClient{
ObjectMeta: kapi.ObjectMeta{Name: "prompting-client"},
Secret: "prompting-client-secret",
RedirectURIs: []string{redirectURL},
GrantMethod: oauthapi.GrantHandlerPrompt,
RespondWithChallenges: true,
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// get the SA ready with redirect URIs and secret annotations
var defaultSA *kapi.ServiceAccount
// retry this a couple times. We seem to be flaking on update conflicts and missing secrets all together
err = kclient.RetryOnConflict(kclient.DefaultRetry, func() error {
defaultSA, err = clusterAdminKubeClient.ServiceAccounts(projectName).Get("default")
if err != nil {
return err
}
if defaultSA.Annotations == nil {
defaultSA.Annotations = map[string]string{}
}
defaultSA.Annotations[saoauth.OAuthRedirectURISecretAnnotationPrefix+"one"] = redirectURL
defaultSA.Annotations[saoauth.OAuthWantChallengesAnnotationPrefix] = "true"
defaultSA, err = clusterAdminKubeClient.ServiceAccounts(projectName).Update(defaultSA)
return err
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
var oauthSecret *kapi.Secret
// retry this a couple times. We seem to be flaking on update conflicts and missing secrets all together
err = wait.PollImmediate(30*time.Millisecond, 10*time.Second, func() (done bool, err error) {
allSecrets, err := clusterAdminKubeClient.Secrets(projectName).List(kapi.ListOptions{})
if err != nil {
return false, err
}
for i := range allSecrets.Items {
secret := allSecrets.Items[i]
if serviceaccount.IsServiceAccountToken(&secret, defaultSA) {
oauthSecret = &secret
return true, nil
}
}
return false, nil
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Test with a normal OAuth client
{
oauthClientConfig := &osincli.ClientConfig{
ClientId: promptingClient.Name,
ClientSecret: promptingClient.Secret,
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: redirectURL,
SendClientSecretInParams: true,
}
t.Log("Testing unrestricted scope")
oauthClientConfig.Scope = ""
// approval steps are needed for unscoped access
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauth/approve",
"form",
"POST /oauth/approve",
"redirect to /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:user:full",
})
// verify the persisted client authorization looks like we expect
if clientAuth, err := clusterAdminClient.OAuthClientAuthorizations().Get("harold:" + oauthClientConfig.ClientId); err != nil {
t.Fatalf("Unexpected error: %v", err)
} else if !reflect.DeepEqual(clientAuth.Scopes, []string{"user:full"}) {
t.Fatalf("Unexpected scopes: %v", clientAuth.Scopes)
} else {
// update the authorization to not contain any approved scopes
clientAuth.Scopes = nil
if _, err := clusterAdminClient.OAuthClientAuthorizations().Update(clientAuth); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
}
// approval steps are needed again for unscoped access
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauth/approve",
"form",
"POST /oauth/approve",
"redirect to /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:user:full",
})
// with the authorization stored, approval steps are skipped
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:user:full",
})
// Approval step is needed again
t.Log("Testing restricted scope")
oauthClientConfig.Scope = "user:info user:check-access"
// filter to disapprove of granting the user:check-access scope
deniedScope := false
inputFilter := func(inputType, name, value string) bool {
if inputType == "checkbox" && name == "scope" && value == "user:check-access" {
deniedScope = true
return false
}
return true
}
// our token only gets the approved one
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, inputFilter, authorizationCodes, authorizationErrors, true, false, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauth/approve",
"form",
"POST /oauth/approve",
"redirect to /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:user:info",
})
if !deniedScope {
t.Errorf("Expected form filter to deny user:info scope")
}
// second time, we approve all, and our token gets all requested scopes
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, false, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauth/approve",
"form",
"POST /oauth/approve",
"redirect to /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:" + oauthClientConfig.Scope,
})
// third time, the approval steps is not needed, and the token gets all requested scopes
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, false, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:" + oauthClientConfig.Scope,
})
// Now request an unscoped token again, and no approval should be needed
t.Log("Testing unrestricted scope")
oauthClientConfig.Scope = ""
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:user:full",
})
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
}
{
oauthClientConfig := &osincli.ClientConfig{
ClientId: serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),
ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: redirectURL,
Scope: scope.Join([]string{"user:info", "role:edit:" + projectName}),
SendClientSecretInParams: true,
}
t.Log("Testing allowed scopes")
// First time, the approval steps are needed
// Second time, the approval steps are skipped
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauth/approve",
"form",
"POST /oauth/approve",
"redirect to /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:" + oauthClientConfig.Scope,
})
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:" + oauthClientConfig.Scope,
})
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
}
{
oauthClientConfig := &osincli.ClientConfig{
ClientId: serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),
ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: redirectURL,
Scope: scope.Join([]string{"user:info", "role:edit:other-ns"}),
SendClientSecretInParams: true,
}
t.Log("Testing disallowed scopes")
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, false, false, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauthcallback",
"error:access_denied",
})
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
}
{
t.Log("Testing invalid scopes")
oauthClientConfig := &osincli.ClientConfig{
ClientId: serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),
ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: redirectURL,
Scope: scope.Join([]string{"unknown-scope"}),
SendClientSecretInParams: true,
}
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, false, false, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauthcallback",
"error:invalid_scope",
})
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
}
{
t.Log("Testing allowed scopes with failed API call")
oauthClientConfig := &osincli.ClientConfig{
ClientId: serviceaccount.MakeUsername(defaultSA.Namespace, defaultSA.Name),
ClientSecret: string(oauthSecret.Data[kapi.ServiceAccountTokenKey]),
AuthorizeUrl: clusterAdminClientConfig.Host + "/oauth/authorize",
TokenUrl: clusterAdminClientConfig.Host + "/oauth/token",
RedirectUrl: redirectURL,
Scope: scope.Join([]string{"user:info"}),
SendClientSecretInParams: true,
}
// First time, the approval is needed
// Second time, the approval is skipped
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, false, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauth/approve",
"form",
"POST /oauth/approve",
"redirect to /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:" + oauthClientConfig.Scope,
})
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, false, []string{
"GET /oauth/authorize",
"received challenge",
"GET /oauth/authorize",
"redirect to /oauthcallback",
"code",
"scope:" + oauthClientConfig.Scope,
})
clusterAdminClient.OAuthClientAuthorizations().Delete("harold:" + oauthClientConfig.ClientId)
}
}
