Bug 1491193

Summary: Error getting when request token from web console
Product: OpenShift Container Platform Reporter: Chuan Yu <chuyu>
Component: apiserver-authAssignee: Simo Sorce <ssorce>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: high    
Version: 3.7.0CC: aos-bugs, mkhan
Target Milestone: ---Keywords: Regression
Target Release: 3.7.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The secret for the private browser OAuth client was not correctly initialized. Consequence: The request token endpoint did not work. Fix: Correctly initialize the browser OAuth client on server start. Result: The request endpoint can be used to request tokens.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:10:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chuan Yu 2017-09-13 09:31:47 UTC 
Description of problem:
Error getting when request token from web console

Version-Release number of selected component (if applicable):
openshift v3.7.0-0.125.0
kubernetes v1.7.0+695f48a16f
etcd 3.2.1

How reproducible:
always

Steps to Reproduce:
1.Request token from web console:

  https://master_url:8443/oauth/token/request

  input the username/password
2.
3.

Actual results:
Error getting token: The client is not authorized to request a token using this method

Expected results:
Token reqeust successfully.

Additional info:
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: logging error output: "\n<style>\n\tbody     { font-family: sans-serif; font-size: 14px; margin: 2em 2%; background-color: #F9F9F9; }\n\th2       { font-size: 1.4em;}\n\th3       { font-size: 1em; margin: 1.5em 0 0; }\n\tcode,pre { font-family: Menlo, Monaco, Consolas, monospace; }\n\tcode     { font-weight: 300; font-size: 1.5em; margin-bottom: 1em; display: inline-block;  color: #646464;  }\n\tpre      { padding-left: 1em; border-radius: 5px; color: #003d6e; background-color: #EAEDF0; padding: 1.5em 0 1.5em 4.5em; white-space: normal; text-indent: -2em; }\n\ta        { color: #00f; text-decoration: none; }\n\ta:hover  { text-decoration: underline; }\n\t@media (min-width: 768px) {\n\t\t.nowrap { white-space: nowrap; }\n\t}\n</style>\n\n"
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: logging error output: "\n  "
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: logging error output: "Error getting token: The client is not authorized to request a token using this method."
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: logging error output: "\n"
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: logging error output: "\n\n<br><br>\n<a href=\""
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: logging error output: "request"
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: logging error output: "\">Request another token</a>\n"
Sep 13 08:36:17 qe-37-saml-master-etcd-1 atomic-openshift-master-api[25190]: [[Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0] 66.187.233.202:47060]
Comment 1 Mo 2017-09-13 12:41:09 UTC 
https://github.com/openshift/origin/pull/16109
Comment 2 Mo 2017-09-13 12:47:18 UTC 
The fix is already merged in 3.7 master.
Comment 3 Chuan Yu 2017-09-14 01:07:50 UTC 
Verified, the token could be requested successfully from web console.
# openshift version
openshift v3.7.0-0.126.1
kubernetes v1.7.0+80709908fd
etcd 3.2.1
Comment 7 errata-xmlrpc 2017-11-28 22:10:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188