Bug 1727983
Summary: | Challenge based CLI auth is not enabled for keycloak IDP | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Justin Pierce <jupierce> | |
Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> | |
Status: | CLOSED ERRATA | QA Contact: | pmali | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 4.1.z | CC: | ahoffer, ani.p, aos-bugs, jfiala, mfojtik, nagrawal, scheng, sttts, wgordon, xxia | |
Target Milestone: | --- | |||
Target Release: | 4.5.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause:
The cluster authentication operator was always disabling challenge authentication flows for any OIDC identity provider.
Consequence:
Even though an OIDC identity provider is capable of handling direct password logins and thus CLI login with `oc` would be possible, this was not honored.
Fix:
When OIDC identity provider is configured, the authentication operator checks whether it allows for Resource Owner Password Credentials grant and allows challenge-based login if it does.
Result:
It is now possible to use CLI when trying to log in to OIDC identity providers that allow the Resource Owner Password Credentials authorization grant.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1745533 (view as bug list) | Environment: | ||
Last Closed: | 2020-07-13 17:11:03 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1745533 | |||
Bug Blocks: |
Description
Justin Pierce
2019-07-08 17:49:35 UTC
*** Bug 1745533 has been marked as a duplicate of this bug. *** Justin, if you could possibly help me test the PR that is referenced in thiz BZ so that we make sure it works for you, that'd be awesome. Standa - if we can get an image with the fix in it, the DPCR team should be able to install it on a staging starter cluster. Brad Williams is the team lead. *** Bug 1833206 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |