Bug 2020625

Summary: [AUTH-52] User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature
Product: OpenShift Container Platform Reporter: liyao
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: high    
Version: 4.10CC: aos-bugs, mfojtik, surbania
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:25:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description liyao 2021-11-05 12:40:24 UTC 
Description of problem:
User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2021-11-03-181048

How reproducible:
Always

Steps to Reproduce:
1. Follow https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-41149 Setup section to setup keycloak server
2. In keycloak server, add group called mygroup and put the user to be used to login into this group
3. In keycloak server, choose myclient, add new Mapper called groupmapper, set Mapper Type as "Group Membership" and Token Claim Name with "groups"
4. Run OCP-41149 the first 4 test steps to configure oauth with keycloak server but need to add groups as below in step3
oc edit oauth cluster
...
spec:
  identityProviders:
  ...
  - mappingMethod: claim
    name: keycloak-oidc
    openID:
      ca:
        name: keycloak-oidc-ca
      claims:
        groups:
        - groups
        email:
        - email
        name:
        - name
      clientID: myclient
      clientSecret:
        name: keycloak-oidc-secret
      extraScopes: []
      issuer: $KEYCLOAK_HOST/auth/realms/master
    type: OpenID

5. login with the user added into the group from web console

Actual results:
Login in step5 fails with "An authentication error occurred. " Though, 'oc get user` can show the user is created, but 'oc get group' shows nothing.

Expected results:
Login in step5 should be successful

Additional info:
The id_token extracted shows:
  "groups": [
    "/group1"
  ],
But Check the oauth-openshift pod logs with logLevel TraceAll, there is: ProviderGroups:[]string{"", "/group1"}, as below:
I1105 09:37:40.634591       1 request.go:1181] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Group.user.openshift.io \"\" is invalid: metadata.name: Required value: name or generateName is required","reason":"Invalid","details":{"group":"user.openshift.io","kind":"Group","causes":[{"reason":"FieldValueRequired","message":"Required value: name or generateName is required","field":"metadata.name"}]},"code":422}
I1105 09:37:40.634869       1 handler.go:199] Error creating or updating mapping for: &api.DefaultUserIdentityInfo{ProviderName:"keycloak-oidc", ProviderUserName:"b64:eHhpYTphdHRyMS92YWx1ZQ", ProviderGroups:[]string{"", "/group1"}, Extra:map[string]string{"name":"li yao"}} due to Group.user.openshift.io "" is invalid: metadata.name: Required value: name or generateName is required
E1105 09:37:40.634890       1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "" is invalid: metadata.name: Required value: name or generateName is required
Comment 1 Sergiusz Urbaniak 2021-11-08 16:09:45 UTC 
reviewed-in-sprint: not enough capacity to work on this bugzilla.
Comment 5 Sergiusz Urbaniak 2021-11-26 07:25:27 UTC 
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Comment 6 Xingxing Xia 2021-11-26 13:19:36 UTC 
Tested in 4.10.0-0.nightly-2021-11-26-060537 with keycloak with the original steps, still got "An authentication error occurred", now the oauth-openshift pod logs show:
2021-11-26T13:05:25.203806648Z E1126 13:05:25.203748       1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "/group1" is invalid: metadata.name: Invalid value: "/group1": may not contain '/'
This corresponds to the the bug's Description part:
> Additional info:
> The id_token extracted shows:
>  "groups": [
>    "/group1"
>  ],

The fix needs to handle this.
Comment 7 Standa Laznicka 2021-11-26 13:21:14 UTC 
That is actually correct, '/' is not usually allowed for kube resource names
Comment 8 Xingxing Xia 2021-11-26 13:41:50 UTC 
Thx for the tips about the on-off of the group full path. Now turned it off, the id_token does not include '/' in 'groups', user login can succeed, oc get group synced the group info:
$ oc get group
NAME       USERS
group1     xxia
Comment 11 errata-xmlrpc 2022-03-10 16:25:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056