Bug 1833206

Summary: There is not way to get token after successful login to OCP 4.3 integrated with Redhat SSO
Product: OpenShift Container Platform Reporter: Ani <ani.p>
Component: oauth-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, mfojtik, slaznick
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-13 07:25:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ani 2020-05-08 04:50:18 UTC 
Description of problem:

OCP 3.11
What we have is OCP 3.11 integrated with RedHat SSO for authenticating OCP users.
What we did is we have created OCP users for our automation script and web application with in RedHat SSO (These users have roles to create and delete resources like project,group,role,role-binding,user etc.).
From our java web application and automation script we call OpenShift Rest API to authenticate  OCP users (created for java web application and automation script in redhat SSO). On successful authentication OpenShift Rest API  return token in response, and we make use of this token when we have to make subsequent call to other OpenShift Rest API (create, delete OCP resources like project, group, roles, role-binding, users).


OCP 4.3 
What we have is OCP 4.3 integrated with same (as used for OCP 3.11) RedHat SSO for authenticating OCP users.
We have same OCP users for our automation script and web application with in RedHat SSO.
Since there is a change in OpenShit authentication Rest API so we don't know which api to be used and how to get the token from OpenShit 4.3 once our openshift user (created for automation script and web application in RedHat SSO)  is authenticated successfully from our java web application and automation script so that from within our web application and automation script we can make subsequent call to other OpenShift Rest API and perform create, delete OCP resources like project, group, roles, role-binding, users.

NOTE  
  1> We have to perform operations like create, delete on OpenShift resources like project, roles, group, role-binding, user etc from with in our java web application and automation scrip using OpenShift Rest API end point.
  2> OCP user used for this, is there in RedHat SSO and OCP 4.3 is integrated with Redhat SSO for authentication

Version-Release number of selected component (if applicable): OCP 4.3


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Standa Laznicka 2020-05-12 11:27:26 UTC 
Please fill in the steps to reproduce so that I can understand what's not working for you.
Comment 2 Ani 2020-05-12 15:13:33 UTC 
Steps to Reproduce:
1. Integrate OCP 4.3 with RedHat SSO and create a user with in RHSSO.
2. Using CURL authenticate above user using OCP 4.3 authentication REST API end point.
3. Once authenticated, get the token for above user, using REST API end point (don't know which REST API to be used )
4. Validate whether token obtain above, works when try to create any OCP resource like project/role-binding using CURL with specific OCP 4.3 REST API end point
required for creating those resources.

Actual results:
Don't know how to get token and not sure if that token work when subsequent call is made to OCP 4.3 REST API endpoint to create OCP resources.

Expected results:
There must be a REST API end point to get token after successful authentication and this token work when subsequent call is made to OCP 4.3 REST API endpoint to create OCP resources.

Additional info:

In real above steps happen inside our web application, since web application is not accessible to reproduce this, so I suggested to user CURL command.
Comment 3 Standa Laznicka 2020-05-13 07:25:27 UTC 
I am going to assume what you're asking for is "I want to be able to use my RHSSO, configured as an OIDC identity provider, to authenticate to OpenShift by using basic-auth, which worked for me in 3.11 as I was able to set configuration field 'challenge' to 'true', but I can't use this in 4.3 as OIDC identity provider does not allow challenge flows" and I will close this as a duplicate of another BZ that deals with exactly this problem.

*** This bug has been marked as a duplicate of bug 1727983 ***