Bug 1493903

Summary: [hNhBstvg] accessTokenMaxAgeSeconds in oauthclient not override the master default
Product: OpenShift Container Platform Reporter: Chuan Yu <chuyu>
Component: apiserver-authAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.7.0CC: aos-bugs, jliggitt, jrosenta, mkhan, ssorce, xtian, yinzhou
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:12:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chuan Yu 2017-09-21 07:11:39 UTC 
Description of problem:
Configured accessTokenMaxAgeSeconds in oauthclient, but it not override the default value in master-config.yaml

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.7.0-0.126.6
kubernetes v1.7.0+80709908fd
etcd 3.2.1

How reproducible:
always

Steps to Reproduce:
1.Make sure the accessTokenMaxAgeSeconds field configured in the oauthclient openshift-browser-client
# oc edit oauthclients openshift-browser-client

configured accessTokenMaxAgeSeconds to 0 or any other integer number
2.Try to request a token with the oauthclient openshift-browser-client from web console
3.Check the token expiration time
# oc get oauthaccesstoken

Actual results:
The accesstoken expires time still the master default configuration

Expected results:
The accessTokenMaxAgeSeconds field configured in the oauthclient should override the master default configuration

Additional info:
When configured accessTokenMaxAgeSeconds to 0 for openshift-browser-client,

# oc get oauthaccesstoken
NAME                                          USER NAME   CLIENT NAME                CREATED                         EXPIRES                         REDIRECT URI                                                                                       SCOPES
h4K_FkJANGmKtb4kLeTLMcjIylBD-lxSdGeB5OTRdbg   chuyu       openshift-browser-client   2017-09-21 02:38:22 -0400 EDT   2017-09-22 02:38:22 -0400 EDT   https://<master_url>:8443/oauth/token/display   user:full
Comment 1 Mo 2017-09-21 13:50:15 UTC 
The version of OpenShift you are running does not have this change, it is only in the latest master.
Comment 2 Chuan Yu 2017-09-22 04:27:27 UTC 
With the latest build v3.7.0-0.127.0, the issue still exist.
Comment 3 Jordan Liggitt 2017-09-22 14:36:34 UTC 
Looks like the code flow (used by /oauth/token/request) assigns expiration times via a different path. Implicit flows (used by CLI) assign the expiration as expected.

Will fix and add a test case
Comment 4 Jordan Liggitt 2017-09-23 05:44:43 UTC 
Fixed in https://github.com/openshift/origin/pull/16520
Comment 6 zhou ying 2017-09-28 06:48:53 UTC 
Verified with the latest OCP , the issue has fixed:
openshift version
openshift v3.7.0-0.131.0
kubernetes v1.7.0+80709908fd
etcd 3.2.1

oc get oauthclients openshift-browser-client -o yaml 
accessTokenMaxAgeSeconds: 600
apiVersion: v1
grantMethod: auto
kind: OAuthClient
metadata:
  creationTimestamp: 2017-09-28T05:58:31Z
  name: openshift-browser-client
  resourceVersion: "6236"
  selfLink: /oapi/v1/oauthclients/openshift-browser-client
  uid: 0e7938db-a412-11e7-8658-fa163e17f4a6
redirectURIs:
- https://xxxxx:8443/oauth/token/display
secret: 5131e8de-a3f1-49da-af26-6993599ce66e


[root@host-8-241-76 ~]# oc get oauthaccesstoken |grep ge
y06OiQ91U2wRL2LUmWbQzgE1l3y-WMfyeB1Kc4XHsS4   geliu       openshift-browser-client       2017-09-28 02:45:43 -0400 EDT   2017-09-28 02:55:43 -0400 EDT   https://xxxxx:8443/oauth/token/display    user:full
Comment 10 errata-xmlrpc 2017-11-28 22:12:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188
Comment 11 knewcomer 2019-05-18 21:06:36 UTC 
*** Bug 1461011 has been marked as a duplicate of this bug. ***