Description of problem: While following the example setup for Request Header Authentication mentioned here (https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html) and then testing the setup (both as in the part "Verifying the Configuration" and via browser), I'm getting 404 for /oauth/authorize. Using HTPasswd Authentication (also from the mentioned documentation) works as expected. Using older Request Header Authentication from snapshot (https://web.archive.org/web/20150706101757/https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html) also works. Version-Release number of selected component (if applicable): OpenShift Enterprise 3.0 How reproducible: Always Steps to Reproduce: 1. Install OpenShift Enterprise (advanced installation) and try to use Request Header Authentication, follow the documentation in both steps 2. Try to log in as created user. Actual results: 404 error page for /oauth/authorize Expected results: No error about missing page, user should be able to login. Additional info:
Please include the oauthConfig stanza of your master config file. I am guessing there is a typo in the config that is making it appear the oauthConfig stanza was removed, which disables the /oauth/* URLs
(In reply to Jordan Liggitt from comment #2) > Please include the oauthConfig stanza of your master config file. I am > guessing there is a typo in the config that is making it appear the > oauthConfig stanza was removed, which disables the /oauth/* URLs The only changes I made to generated master config file were those written in the documentation (port changes and identityProviders), but here is the whole oauthConfig part: oauthConfig: assetPublicURL: https://myhostname:443/console/ grantConfig: method: auto identityProviders: - name: header_provider challenge: True login: True provider: apiVersion: v1 kind: RequestHeaderIdentityProvider challengeURL: "https://myhostname/challenging-proxy/oauth/authorize?${query}" loginURL: "https://myhostname/login-proxy/oauth/authorize?${query}" clientCA: /etc/openshift/master/proxyca.crt headers: - X-Remote-User masterPublicURL: https://myhostname:443 masterURL: https://myhostname:8443 sessionConfig: sessionMaxAgeSeconds: 3600 sessionName: ssn sessionSecretsFile: tokenConfig: accessTokenMaxAgeSeconds: 86400 authorizeTokenMaxAgeSeconds: 500
Can you capture the following and attach it to the bug? curl -k -v 'https://myhostname:443/oauth/authorize?response_type=token&client_id=openshift-browser-client'
* About to connect() to myhostname port 443 (#0) * Trying 192.168.122.162... * Connected to myhostname (192.168.122.162) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA * Server certificate: * subject: CN=myhostname * start date: Oct 08 14:38:17 2015 GMT * expire date: Oct 07 14:38:18 2016 GMT * common name: myhostname * issuer: CN=openshift-signer@1444315096 > GET /oauth/authorize?response_type=token&client_id=openshift-browser-client HTTP/1.1 > User-Agent: curl/7.29.0 > Host: myhostname > Accept: */* > < HTTP/1.1 404 Not Found < Date: Thu, 15 Oct 2015 13:33:45 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.2.0 < Content-Length: 213 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /oauth/authorize was not found on this server.</p> </body></html> * Connection #0 to host myhostname left intact Log entries: access_log: 192.168.122.162 - - [15/Oct/2015:15:41:41 +0200] "GET /oauth/authorize?response_type=token&client_id=openshift-browser-client HTTP/1.1" 404 213 "-" "curl/7.29.0" error_log: [Thu Oct 15 15:41:41.735149 2015] [core:info] [pid 2706] [client 192.168.122.162:59031] AH00128: File does not exist: /var/www/html/oauth/authorize
Sorry, I missed the /login-proxy/ prefix. Can you provide the following info: 1. What URL does the browser address bar show when it receives the 404 while attempting to log in? 2. What does the following return: curl -k -v 'https://myhostname/login-proxy/oauth/authorize?response_type=token&client_id=openshift-browser-client'
(In reply to Jordan Liggitt from comment #7) > Sorry, I missed the /login-proxy/ prefix. Can you provide the following info: > > 1. What URL does the browser address bar show when it receives the 404 while > attempting to log in? > https://myhostname/oauth/authorize?client_id=openshift-web-console&response_type=token&state=%2F&redirect_uri=https%3A%2F%2Fmyhostname%3A443%2Fconsole%2Foauth > 2. What does the following return: > curl -k -v > 'https://myhostname/login-proxy/oauth/ > authorize?response_type=token&client_id=openshift-browser-client' * About to connect() to myhostname port 443 (#0) * Trying 192.168.122.162... * Connected to myhostname (192.168.122.162) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA * Server certificate: * subject: CN=myhostname * start date: Oct 08 14:38:17 2015 GMT * expire date: Oct 07 14:38:18 2016 GMT * common name: myhostname * issuer: CN=openshift-signer@1444315096 > GET /login-proxy/oauth/authorize?response_type=token&client_id=openshift-browser-client HTTP/1.1 > User-Agent: curl/7.29.0 > Host: myhostname > Accept: */* > < HTTP/1.1 401 Unauthorized < Date: Fri, 16 Oct 2015 12:34:27 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.2.0 < Cache-Control: no-store < Content-Length: 500 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html> * Connection #0 to host myhostname left intact
There are two possible setups, and I the documentation has mixed them together. Possibility 1 is to proxy the entire API/Console (Apache won't work for this) A. OpenShift config would have: masterPublicURL/masterPublicURL/publicURL pointing to https://<proxy host:port> B. The proxy would be configured such that https://<proxy host:port> proxies to <masterURL> Possibility 2 (which is what should be documented) is to proxy ONLY the /oauth/authorize endpoint (Apache can work for this): A. OpenShift config should have: masterPublicURL: OpenShift host/port users can reach directly (NOT the proxy) loginURL: https://<proxy host:port>/<form handling subpath>/... challengeURL: https://<proxy host:port>/<basicauth challenging subpath>/... B. The proxy should be configured such that https://<proxy host:port>/<form handling subpath>/oauth/authorize?... handles unauthenticated requests with form auth then proxies to <masterPublicURL>/oauth/authorize?... https://<proxy host:port>/<basicauth challenging subpath>/oauth/authorize?... handles unauthenticated requests with basic auth challenge then proxies to <masterPublicURL>/oauth/authorize?... This part of the "Configuring the Master" section is incorrect, and should be removed: """ In the /etc/openshift/master/master-config.yaml file, all instances of masterPublicURL and assetPublicURL must match the host name and port for the Apache VirtualHost: masterPublicURL: https://ose3-master.example.com:443 assetPublicURL: https://ose3-master.example.com:443/console/ publicURL: https://ose3-master.example.com:443/console/ """ In the "Verifying the Configuration" section, we should add these steps: This should show a redirect to the configured challengeURL (with additional query parameters): curl -k -v '<masterPublicURL>/oauth/authorize?client_id=openshift-challenging-client&response_type=token' This should show a 401 response with a WWW-Authenticate basic challenge: curl -k -v '<redirected challengeURL+query>' This should show a redirect with an access_token: curl -k -v -u YOUR_USER:YOUR_PASSWORD '<redirected challengeURL+query>'
I ran through the docs again and confirmed Jordan's finding. I suspect the public URL configuration was something that was left over from previous work I had done. I suspect it worked in my environment because of other stale configuration. In any case here's a PR for consideration: https://github.com/openshift/openshift-docs/pull/1107 The only think I modified from Jordan's suggestions was simply in the verification steps I included an X-Csrf-Token header in the curl requests. Without that I was getting a 403. With the header set I get the expected responses.
Commits pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/f7fe28c33efeee39c659fb7baf0532b5e6c1ed83 Bug 1271767 - /oauth/authorize not found while following documentation setup https://github.com/openshift/openshift-docs/commit/148285f594e07278ed26c72aab16aa550d726003 Merge pull request #1107 from brenton/BZ1271767 Bug 1271767 - /oauth/authorize not found while following documentatio…
Merged https://github.com/openshift/openshift-docs/pull/1107 Labeled it to_followup for minor markup cleanup.
This fix is now live: https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html. Moving this bug to CLOSED-->CURRENTRELEASE.