Bug 1308843
| Summary: | [DOCS][platformmanagment_public_612]Better to remind user in documentation to grant third-party access to organization info when using GithubIdentityProvider | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OKD | Reporter: | Xingxing Xia <xxia> | ||||
| Component: | Documentation | Assignee: | Alex Dellapenta <adellape> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Xingxing Xia <xxia> | ||||
| Severity: | low | Docs Contact: | Vikram Goyal <vigoyal> | ||||
| Priority: | low | ||||||
| Version: | 3.x | CC: | aos-bugs, mmccomas | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-08-04 22:05:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
The reason is found: step 5.1, the first time of login with the new github account, I just clicked "Authorize application" button, but omitted "Grant access" button. Thus later login with that account always fails as the attachment shows. But the shown error message "An authentication error occurred" is too simple. Could the message be more instructive? Because it takes some time (a bit painful) to find the reason is "Grant access" button omitted. Customer may be disappointed if he/she omits the button too at the first time of login. Unfortunately, if an organization has not granted access, there is no way to detect that from the GitHub API (it just doesn't appear in the user's list of organizations). In the server logs, we do log the user's organization membership if they don't appear to be a member of the configured organization, which could be helpful in debugging. I'd like to keep this open and convert it to a documentation bug, and we can call out the requirement specifically in the documentation. According to GitHub, OAuth applications owned by the organization should automatically have access to the org info. In your tests, were you using an OAuth application owned by the organization you were using? I would expect that to be common, which should lessen the impact of this. I also added a note to the GitHub IDP documentation in https://github.com/openshift/openshift-docs/pull/1600 Good to convert to a documentation bug. It is true applications owned by the organization have access to the org info. This would lessen the impact. While in my test, it was not that case. Thank you. Code works well. Can login successfully with github accounts of the organizations specified in master config. So, according to comment 3 and https://github.com/openshift/openshift-docs/pull/1600, convert this bug to a documentation bug. This was resolved via https://github.com/openshift/openshift-docs/pull/1600. |
Created attachment 1127548 [details] Later login would fail If the "Grant access" button is omitted at first time of login