Bug 1439222

Summary: [3.5] Can't login to Jenkins application when ENABLE_OAUTH=true and RequestHeaderIdentityProvider is used
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: apiserver-authAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED DUPLICATE QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, bingli, bparees, chuyu, dakini, dmace, dyan, gmontero, ihorvath, jliggitt, jokerman, mkhan, mmccomas, rromerom, simon.gunzenreiner, tdawson, yasun, yufchang
Target Milestone: ---   
Target Release: 3.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1434983 Environment:
Last Closed: 2017-04-05 12:57:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1434983    
Bug Blocks:    

Description Scott Dodson 2017-04-05 12:56:25 UTC 
+++ This bug was initially created as a clone of Bug #1434983 +++

+++ This bug was initially created as a clone of Bug #1421629 +++

Description of problem:
Error message "The requested URL /oauth/approve was not found on this server" returns, when accessing Jenkins application created by default template "jenkins-persistent".

Version-Release number of selected component (if applicable):
OpenShift Master: v3.4.1.2
Kubernetes Master: v1.4.0+776c994

How reproducible:
Always

Steps to Reproduce:
1. Configure server with RequestHeaderIdentityProvider
2. Create Jenkins application using default template "jenkins-persistent"("OAuth OpenShift integration" is enabled);
3. After all the pods are running well, check if Jenkins can be accessed or not.

Actual results:
3. After clicking "Login with Openshift", error message "The requested URL /oauth/approve was not found on this server" returns.


cluster is using RequestHeaderIdentityProvider:
...
  identityProviders:
  - challenge: false
    provider:
      headers:
      - Remote-User
      kind: RequestHeaderIdentityProvider
      nameHeaders:
      - Remote-User-Name
      loginURL: https://auth-proxy.example.com/mod_auth_mellon/?${query}
      apiVersion: v1
      clientCA: /etc/origin/master/ca.crt
    mappingMethod: lookup
    login: true
    name: myidp
...

--- Additional comment from Jordan Liggitt on 2017-02-14 12:45:18 EST ---

Currently, two URLs are accessed during the OAuth flow that require authentication information:

  $master/oauth/authorize
  $master/oauth/approve

When using a RequestHeaderIdentityProvider, all authentication information must come from the auth proxy.

loginURL is used to specify the URL that proxies to $master/oauth/authorize

There is no option to configure the URL that proxies to $master/oauth/approve (this was an oversight). When approval is needed during an OAuth flow, a redirect to /oauth/approve is done.


Temporary workaround:
1. Change the auth proxy to proxy https://auth-proxy.example.com/oauth/* to $master/oauth/*
2. Change the origin config to
  loginURL: https://auth-proxy.example.com/oauth/authorize?${query}


This "fixes" the issue by making the auth proxy paths match the /oauth/* paths on the API server, and makes the auth proxy proxy both /oauth/authorize and /oauth/approve

Long term, we have a couple options:
1. Add another config option to specify the approve proxy path, and make the proxy explicitly set up a proxy rule for /oauth/approve

2. Move /oauth/approve under /oauth/authorize/approve and depend on the loginURL proxy path proxying subpaths as well

--- Additional comment from Jordan Liggitt on 2017-02-14 13:03:57 EST ---

See https://github.com/openshift/request-header-saml-service-provider/pull/7 for changes to the SAML pod to support the temporary workaround

--- Additional comment from Jordan Liggitt on 2017-02-14 14:46:28 EST ---

verified with the changes in https://github.com/openshift/request-header-saml-service-provider/pull/7 we can run grant approval through the auth proxy

--- Additional comment from Troy Dawson on 2017-02-16 17:29:31 EST ---

Should be fixed in openshift3/saml-service-provider:1.0-5 which is available in testing areas.

--- Additional comment from Jordan Liggitt on 2017-02-16 17:36:14 EST ---

the following config changes are needed when deploying that version:

for the saml pod, instead of:
OSE_API_PUBLIC_URL=https://api.example.com/oauth/authorize
set
PROXY_PATH=/oauth/
PROXY_DESTINATION=https://api.example.com/oauth/


for the apiserver, change the master-config.yaml loginURL to:
loginURL: https://auth-proxy.example.com/oauth/authorize?${query}

--- Additional comment from Jordan Liggitt on 2017-04-04 14:36:42 EDT ---

The workaround for this issue is to make the auth proxy paths match the API server paths for these paths:

These are the paths that require proxying currently:
  https://api.acme.com/oauth/authorize (and subpaths)
  https://api.acme.com/oauth/approve

The auth proxy paths would be:
  https://auth.acme.com/oauth/authorize (and subpaths)
  https://auth.acme.com/oauth/approve

The master-config.yaml would be:
...
oauthConfig:
  identityProviders:
  - name: ...
    login: true
    ...
    provider:
      apiVersion: v1
      kind: RequestHeaderIdentityProvider
      loginURL: "https://auth.acme.com/oauth/authorize?${query}"
      ...


https://github.com/openshift/origin/pull/13569 will move the approval flow to /oauth/authorize/approve so there is a single root that auth proxies need to proxy.
Comment 1 Scott Dodson 2017-04-05 12:57:38 UTC 

*** This bug has been marked as a duplicate of bug 1439221 ***