Bug 2052095

Summary: Infinite OAuth redirect loop post-upgrade to 4.10.0-rc.1
Product: OpenShift Container Platform Reporter: brad.williams
Component: Management ConsoleAssignee: Jon Jackson <jonjacks>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.10CC: aos-bugs, jhadvig, spadgett, wking, yanpzhan
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:48:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2052644    

Description brad.williams 2022-02-08 17:11:24 UTC 
Description of problem:
We upgraded our cluster to 4.10.0-rc.1, this morning.  Post-upgrade, folks have complained about getting stuck in an infinite redirect loop and unable to log into the cluster. 

Version-Release number of selected component (if applicable):
4.10.0-rc.1

How reproducible:
Unknown

Steps to Reproduce:
1. Cluster was initially running 4.9.19
2. Login to web console and leave connection open
3. Initiate an upgrade to 4.10.0-rc.1
4. Post-upgrade, return to web console, log out
5. Attempt to login

Actual results:
User keeps getting redirected back to the IDP Provider login screen

Expected results:
User should be able to login to the web console
Comment 2 Yanping Zhang 2022-02-09 08:45:05 UTC 
Could reproduce this issue.
Steps to reproduce:
1. Launch 4.9.19 cluster. Login web console, keep console page open.
2. Upgrade to 4.10.0-rc.1.
[root@MiWiFi-R1CM ~]# oc get clusterversions.config.openshift.io version 
NAME      VERSION       AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-rc.1   True        False         2m16s   Cluster version is 4.10.0-rc.1

3. Go back on console page, logout, and try login again, could not login successfully, the page always redirect in auth loop(url is <console>/error?error=invalid_state&error_type=auth). 
Check console pod logs:
[root@MiWiFi-R1CM ~]# oc logs console-6dcc484766-llklk -n openshift-console
W0209 07:47:29.207445       1 main.go:212] Flag inactivity-timeout is set to less then 300 seconds and will be ignored!
I0209 07:47:29.207860       1 main.go:342] cookies are secure!
E0209 07:47:34.452054       1 auth.go:232] error contacting auth provider (retrying in 10s): Get "https://kubernetes.default.svc/.well-known/oauth-authorization-server": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
I0209 07:47:44.479196       1 main.go:766] Binding to [::]:8443...
I0209 07:47:44.479226       1 main.go:768] using TLS
E0209 08:06:38.639592       1 auth.go:377] state in url does not match State cookie
E0209 08:08:29.246487       1 auth.go:377] state in url does not match State cookie
E0209 08:09:33.499223       1 auth.go:377] state in url does not match State cookie
E0209 08:11:09.797095       1 auth.go:377] state in url does not match State cookie
E0209 08:11:21.765905       1 auth.go:377] state in url does not match State cookie
E0209 08:11:32.214733       1 auth.go:377] state in url does not match State cookie
E0209 08:11:42.850703       1 auth.go:377] state in url does not match State cookie
E0209 08:11:53.525761       1 auth.go:377] state in url does not match State cookie
E0209 08:12:05.074924       1 auth.go:377] state in url does not match State cookie
E0209 08:12:17.508334       1 auth.go:377] state in url does not match State cookie
E0209 08:12:28.424593       1 auth.go:377] state in url does not match State cookie
E0209 08:12:40.598219       1 auth.go:377] state in url does not match State cookie
E0209 08:12:51.919708       1 auth.go:377] state in url does not match State cookie
E0209 08:13:03.526585       1 auth.go:377] state in url does not match State cookie
E0209 08:13:15.056684       1 auth.go:377] state in url does not match State cookie
E0209 08:13:26.318823       1 auth.go:377] state in url does not match State cookie
E0209 08:13:45.582149       1 auth.go:377] state in url does not match State cookie

4. Clear browser cookies, try to login console, could login now.
Comment 5 Yanping Zhang 2022-02-10 10:19:48 UTC 
Steps to verify:
1. Launch on 4.10 cluster with payload 4.10.0-0.nightly-2022-02-09-111355.
2. Login web console, keep console page open.
2. Upgrade the cluster to 4.11.0-0.nightly-2022-02-10-031822
3. Go back on console page, logout, and try login again, could login successfully now.
Comment 7 errata-xmlrpc 2022-08-10 10:48:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069