Bug 1576574

Summary: Successful web console login redirects back to login page
Product: OpenShift Container Platform Reporter: Robert Bost <rbost>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED NOTABUG QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: high    
Version: 3.7.0CC: aos-bugs, jliggitt, jokerman, mmccomas, rbost, yapei
Target Milestone: ---   
Target Release: 3.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-11 17:05:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Bost 2018-05-09 19:49:53 UTC 
Description of problem:

Customer experiencing issue with logging into web console:

- Navigate to web console. Login form is displayed.
- User submits login form. POST request to /login.
- Redirected to /oauth/authorize

/oauth/authorize?client_id=openshift-web-console&response_type=code&state=eyJ0aGVuIjoiLyIsIm5vbmNlIj
oiMTUyNTg4MDI0NjcyMS0xNjUzODQ1NTEwMzM4NTQzNjgzMzMzNDM2OTU5MDA0MDQyNTAzNjY1MTY5MTQxMTQ2OTIyMzQyNDU2OTUxMTE2NzA5NzE1MTA0NjU3OTczNyJ9
&redirect_uri=https%3A%2F%2Fopenshift-master.example.com%2Fconsole%2Foauth

** Should redirect to /console/oauth which displays the actual console page where user wants to be.
- However, the /oauth/authorize response redirects to /login again, hence why you see the login page. 
- Here is the 302 response's Location header from /oauth/authorize:

/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dcode%26state%3DeyJ0aGVuIjoiLyIsIm5vbmNlIjoiMTUyNTg4MDI0NjcyMS0xNjUzODQ1NTEwMzM4NTQzNjgzMzMzNDM2OTU5MDA0MDQyNTAzNjY1MTY5MTQxMTQ2OTIyMzQyNDU2OTUxMTE2NzA5NzE1MTA0NjU3OTczNyJ9%26redirect_uri%3Dhttps%253A%252F%252Fopenshift-master.example.com%252Fconsole%252Foauth"


Version-Release number of selected component (if applicable): atomic-openshift-3.7.44-1.git.0.6b061d4.el7.x86_64 

How reproducible: 
Issue is intermittent for customer which leads me to believe master-configs are not consistent. Attaching for the record. 


Steps to Reproduce:
1. Unable to reproduce locally.

Actual results:
Redirected back to /login page


Expected results:
Redirect to /console showing projects, etc.
Comment 2 Yadan Pei 2018-05-10 07:08:07 UTC 
Setup a v3.7.44 cluster with 3 masters, 4 nodes and 1 LB on AWS.

1. Access LB URL address
redirect to https://<elb>/login?then=%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-web-console%26response_type%3Dcode%26state%3DeyJ0aGVuIjoiLyIsIm5vbmNlIjoiMTUyNTkzNTAwNDg2Ni0xOTIwMDI1ODc3MjIxNDc4ODU4MDM3NTY2MzgzNzcxMDU5NDY1MTQ1MjU5NjgyMjUwOTE3OTIxNDU2MzU4MjA2OTAzOTY5MzI2MzQzMDUifQ%26redirect_uri%3Dhttps%253A%252F%252F<elb>%252Fconsole%252Foauth
2. Set username and password
goto 
https://<elb>/console/oauth?code=MQaUZZWSnmB3EKgBGPymEtgdIkyEn0bZ99eW2_Ad0AY&state=eyJ0aGVuIjoiLyIsIm5vbmNlIjoiMTUyNTkzNTAwNDg2Ni0xOTIwMDI1ODc3MjIxNDc4ODU4MDM3NTY2MzgzNzcxMDU5NDY1MTQ1MjU5NjgyMjUwOTE3OTIxNDU2MzU4MjA2OTAzOTY5MzI2MzQzMDUifQ and authorize code returned
3. Login successfully and didn't redirect to login page again

didn't reproduce the issue locally too.
Comment 4 Robert Bost 2018-05-11 17:05:13 UTC 
Issue appears to have been due to mismatching /etc/origin/master/session-secrets.yaml on one of the maters.