Bug 2020625
Summary: | [AUTH-52] User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | liyao |
Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> |
Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.10 | CC: | aos-bugs, mfojtik, surbania |
Target Milestone: | --- | ||
Target Release: | 4.10.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-10 16:25:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
liyao
2021-11-05 12:40:24 UTC
reviewed-in-sprint: not enough capacity to work on this bugzilla. I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint. Tested in 4.10.0-0.nightly-2021-11-26-060537 with keycloak with the original steps, still got "An authentication error occurred", now the oauth-openshift pod logs show:
2021-11-26T13:05:25.203806648Z E1126 13:05:25.203748 1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "/group1" is invalid: metadata.name: Invalid value: "/group1": may not contain '/'
This corresponds to the the bug's Description part:
> Additional info:
> The id_token extracted shows:
> "groups": [
> "/group1"
> ],
The fix needs to handle this.
That is actually correct, '/' is not usually allowed for kube resource names Thx for the tips about the on-off of the group full path. Now turned it off, the id_token does not include '/' in 'groups', user login can succeed, oc get group synced the group info: $ oc get group NAME USERS group1 xxia Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |