Bug 1671604

Summary: `oc login` should prompt messages for how to generate a token with challenge=false for identity provider
Product: OpenShift Container Platform Reporter: Chuan Yu <chuyu>
Component: apiserver-authAssignee: Venkata Siva Teja Areti <vareti>
Status: CLOSED ERRATA QA Contact: scheng
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, erich, mfojtik, nagrawal, scheng, slaznick, sttts
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: the bootstrap user introduced in OpenShift 4.1 internally made CLI login flow always available Consequence: the message about how to retrieve authentication token, which was there in 3.x OpenShift versions, no longer appeared for users that tried to log in from CLI in cases where only web-browser flows were configured Fix: do not configure bootstrap user IdP when it is disabled by the user Result: after the bootstrap IdP gets disabled by following the steps from the official documentation, the message about how to retrieve login token in web-login-only scenarios gets displayed once again
 Story Points: ---
Clone Of:
: 1781083 (view as bug list) Environment:
Last Closed: 2020-05-04 11:12:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1781083    

Description Chuan Yu 2019-02-01 03:25:18 UTC 
Description of problem:
Configured challenge=false for identity provider, when run `oc login` should prompt how to generate a token but not prompt input user/password

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.nightly-2019-01-30-174704   True        False         19h       Cluster version is 4.0.0-0.nightly-2019-01-30-174704

How reproducible:
always

Steps to Reproduce:
1.Configured challenge=false for Google identity provider
2.run `oc login --server=***` from cli
3.

Actual results:
There prompt to input user/password

Expected results:
Should prompt how to generate a token

Additional info:
Comment 1 Mo 2019-02-03 23:34:07 UTC 
(Sorry Gabe, did not mean to tag you on this)
Comment 2 Mo 2019-02-03 23:47:56 UTC 
Fixing this will require:

1. Address https://github.com/openshift/origin/blob/f4b9f88b0cda4dde61e1d7fa9b0b3baed03868fc/pkg/oauthserver/authenticator/password/bootstrap/bootstrap.go#L91-L96
2. Probably some finesse in the operator to track the permanently disabled state so it knows to restart the deplyoment
3. Maybe some special handling for kube:admin in https://github.com/openshift/origin/blob/610ba8d1797daeefc4d6baad0e0d56c836d39c0c/pkg/oauthserver/authenticator/challenger/placeholderchallenger/placeholder_challenger.go#L20-L33 (we can likely live without this if we go with the assumption that kube:admin will generally be disabled in production clusters)
Comment 3 Mo 2019-04-05 13:58:15 UTC 
It will be terrible UX but we can live without this in 4.1
Comment 12 errata-xmlrpc 2020-05-04 11:12:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581