Bug 1868324

Summary: [MSTR-1019] oc logout fails to invalidate the token since the request deletes token value instead of oauthaccesstoken name
Product: OpenShift Container Platform Reporter: Xingxing Xia <xxia>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: pmali
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: aos-bugs, jokerman, maszulik, mfojtik, scheng
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:28:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1870667    

Description Xingxing Xia 2020-08-12 10:22:44 UTC
Description of problem:
oc logout fails to invalidate the token since the request deletes token value instead of oauthaccesstoken name

Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-08-12-003456

How reproducible:
Always

Steps to Reproduce:
1. oc login -u testuser-40 -p <password>
oc whoami -t
sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_...

2. User cluster-admin to check oauthaccesstoken:
oc get oauthaccesstoken --context admin
NAME                                          USER NAME     CLIENT NAME                    CREATED                EXPIRES REDIRECT URI                                                                                  SCOPES
sha256~ejjC2dHfQHEjE-QcjwIif7lUwi4f-X4Z-...   testuser-40   openshift-challenging-client   2020-08-12T03:53:54Z   2020-08-13 03:53:54 +0000 UTC   https://oauth-openshift.apps..../oauth/token/implicit   user:full

3. oc logout
Logged "testuser-40" out on "https://api....:6443"

But checking ` oc whoami --token "sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_..." ` again, still shows testuser-40.
Checking `oc get oauthaccesstoken --context admin` again, `sha256~ejjC2dHfQHEjE-QcjwIif7lUwi4f-X4Z-...` still exists.

Checking oc logout --v 6, found the reason is, oc logout deletes token value instead of oauthaccesstoken name in the request:
...
DELETE https://api....:6443/apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_... 404 Not Found in 53 milliseconds
I0812 12:32:09.331192    6311 logout.go:127] oauthaccesstokens.oauth.openshift.io "sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_..." not found
...

Actual results:
3. oc logout didn't make the token deleted.

Expected results:
3. Should delete successfully. After `oc logout`, `oc whoami --token "sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_..."` should show "error: You must be logged in to the server (Unauthorized)"

Additional info:

Comment 1 scheng 2020-08-17 08:25:25 UTC
https://github.com/openshift/oc/pull/521

Comment 4 Xingxing Xia 2020-08-21 03:12:54 UTC
Verified in:
$ oc version --client
Client Version: 4.6.0-0.nightly-2020-08-21-011653

Comment 6 errata-xmlrpc 2020-10-27 16:28:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196