Bug 1271767 - /oauth/authorize not found while following documentation setup
/oauth/authorize not found while following documentation setup
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
3.0.0
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Vikram Goyal
Vikram Goyal
Vikram Goyal
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-14 11:59 EDT by Veronika Kabatova
Modified: 2015-12-07 22:44 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 22:44:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Veronika Kabatova 2015-10-14 11:59:10 EDT
Description of problem:
While following the example setup for Request Header Authentication mentioned here (https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html) and then testing the setup (both as in the part "Verifying the Configuration" and via browser), I'm getting 404 for /oauth/authorize.

Using HTPasswd Authentication (also from the mentioned documentation) works as expected.

Using older Request Header Authentication from snapshot (https://web.archive.org/web/20150706101757/https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html) also works.


Version-Release number of selected component (if applicable):
OpenShift Enterprise 3.0

How reproducible:
Always

Steps to Reproduce:
1. Install OpenShift Enterprise (advanced installation) and try to use Request Header Authentication, follow the documentation in both steps
2. Try to log in as created user.


Actual results:
404 error page for /oauth/authorize


Expected results:
No error about missing page, user should be able to login.


Additional info:
Comment 2 Jordan Liggitt 2015-10-14 14:22:51 EDT
Please include the oauthConfig stanza of your master config file. I am guessing there is a typo in the config that is making it appear the oauthConfig stanza was removed, which disables the /oauth/* URLs
Comment 4 Veronika Kabatova 2015-10-15 06:13:40 EDT
(In reply to Jordan Liggitt from comment #2)
> Please include the oauthConfig stanza of your master config file. I am
> guessing there is a typo in the config that is making it appear the
> oauthConfig stanza was removed, which disables the /oauth/* URLs

The only changes I made to generated master config file were those written in the documentation (port changes and identityProviders), but here is the whole oauthConfig part:

oauthConfig:
  assetPublicURL: https://myhostname:443/console/
  grantConfig:
    method: auto
  identityProviders:
  - name: header_provider
    challenge: True
    login: True
    provider:
      apiVersion: v1
      kind: RequestHeaderIdentityProvider
      challengeURL: "https://myhostname/challenging-proxy/oauth/authorize?${query}"
      loginURL: "https://myhostname/login-proxy/oauth/authorize?${query}"
      clientCA: /etc/openshift/master/proxyca.crt
      headers:
      - X-Remote-User
  masterPublicURL: https://myhostname:443
  masterURL: https://myhostname:8443
  sessionConfig:
    sessionMaxAgeSeconds: 3600
    sessionName: ssn
    sessionSecretsFile: 
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
    authorizeTokenMaxAgeSeconds: 500
Comment 5 Jordan Liggitt 2015-10-15 08:10:44 EDT
Can you capture the following and attach it to the bug?

curl -k -v 'https://myhostname:443/oauth/authorize?response_type=token&client_id=openshift-browser-client'
Comment 6 Veronika Kabatova 2015-10-15 09:43:58 EDT
* About to connect() to myhostname port 443 (#0)
*   Trying 192.168.122.162...
* Connected to myhostname (192.168.122.162) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* 	subject: CN=myhostname
* 	start date: Oct 08 14:38:17 2015 GMT
* 	expire date: Oct 07 14:38:18 2016 GMT
* 	common name: myhostname
* 	issuer: CN=openshift-signer@1444315096
> GET /oauth/authorize?response_type=token&client_id=openshift-browser-client HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myhostname
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Date: Thu, 15 Oct 2015 13:33:45 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.2.0
< Content-Length: 213
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /oauth/authorize was not found on this server.</p>
</body></html>
* Connection #0 to host myhostname left intact


Log entries:

access_log:
192.168.122.162 - - [15/Oct/2015:15:41:41 +0200] "GET /oauth/authorize?response_type=token&client_id=openshift-browser-client HTTP/1.1" 404 213 "-" "curl/7.29.0"

error_log:
[Thu Oct 15 15:41:41.735149 2015] [core:info] [pid 2706] [client 192.168.122.162:59031] AH00128: File does not exist: /var/www/html/oauth/authorize
Comment 7 Jordan Liggitt 2015-10-15 13:49:57 EDT
Sorry, I missed the /login-proxy/ prefix. Can you provide the following info:

1. What URL does the browser address bar show when it receives the 404 while attempting to log in?

2. What does the following return:
curl -k -v 'https://myhostname/login-proxy/oauth/authorize?response_type=token&client_id=openshift-browser-client'
Comment 8 Veronika Kabatova 2015-10-16 08:39:22 EDT
(In reply to Jordan Liggitt from comment #7)
> Sorry, I missed the /login-proxy/ prefix. Can you provide the following info:
> 
> 1. What URL does the browser address bar show when it receives the 404 while
> attempting to log in?
> 

https://myhostname/oauth/authorize?client_id=openshift-web-console&response_type=token&state=%2F&redirect_uri=https%3A%2F%2Fmyhostname%3A443%2Fconsole%2Foauth


> 2. What does the following return:
> curl -k -v
> 'https://myhostname/login-proxy/oauth/
> authorize?response_type=token&client_id=openshift-browser-client'

* About to connect() to myhostname port 443 (#0)
*   Trying 192.168.122.162...
* Connected to myhostname (192.168.122.162) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* 	subject: CN=myhostname
* 	start date: Oct 08 14:38:17 2015 GMT
* 	expire date: Oct 07 14:38:18 2016 GMT
* 	common name: myhostname
* 	issuer: CN=openshift-signer@1444315096
> GET /login-proxy/oauth/authorize?response_type=token&client_id=openshift-browser-client HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myhostname
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Fri, 16 Oct 2015 12:34:27 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.2.0
< Cache-Control: no-store
< Content-Length: 500
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
* Connection #0 to host myhostname left intact
Comment 9 Jordan Liggitt 2015-10-16 09:57:24 EDT
There are two possible setups, and I the documentation has mixed them together.

Possibility 1 is to proxy the entire API/Console (Apache won't work for this)
A. OpenShift config would have:
  masterPublicURL/masterPublicURL/publicURL pointing to https://<proxy host:port>
B. The proxy would be configured such that
  https://<proxy host:port> proxies to <masterURL>


Possibility 2 (which is what should be documented) is to proxy ONLY the /oauth/authorize endpoint (Apache can work for this):
A. OpenShift config should have:
  masterPublicURL: OpenShift host/port users can reach directly (NOT the proxy)
  loginURL: https://<proxy host:port>/<form handling subpath>/...
  challengeURL: https://<proxy host:port>/<basicauth challenging subpath>/...

B. The proxy should be configured such that
  https://<proxy host:port>/<form handling subpath>/oauth/authorize?...
    handles unauthenticated requests with form auth
    then proxies to <masterPublicURL>/oauth/authorize?...
  https://<proxy host:port>/<basicauth challenging subpath>/oauth/authorize?...
    handles unauthenticated requests with basic auth challenge
    then proxies to <masterPublicURL>/oauth/authorize?...


This part of the "Configuring the Master" section is incorrect, and should be removed:

"""
In the /etc/openshift/master/master-config.yaml file, all instances of masterPublicURL and assetPublicURL must match the host name and port for the Apache VirtualHost:

    masterPublicURL: https://ose3-master.example.com:443
    assetPublicURL: https://ose3-master.example.com:443/console/
    publicURL: https://ose3-master.example.com:443/console/
"""


In the "Verifying the Configuration" section, we should add these steps:

This should show a redirect to the configured challengeURL (with additional query parameters):
  curl -k -v '<masterPublicURL>/oauth/authorize?client_id=openshift-challenging-client&response_type=token'

This should show a 401 response with a WWW-Authenticate basic challenge:
  curl -k -v '<redirected challengeURL+query>'

This should show a redirect with an access_token:
  curl -k -v -u YOUR_USER:YOUR_PASSWORD '<redirected challengeURL+query>'
Comment 10 Brenton Leanhardt 2015-10-23 16:07:49 EDT
I ran through the docs again and confirmed Jordan's finding.  I suspect the public URL configuration was something that was left over from previous work I had done.  I suspect it worked in my environment because of other stale configuration.  In any case here's a PR for consideration:

https://github.com/openshift/openshift-docs/pull/1107

The only think I modified from Jordan's suggestions was simply in the verification steps I included an X-Csrf-Token header in the curl requests.  Without that I was getting a 403.  With the header set I get the expected responses.
Comment 11 openshift-github-bot 2015-10-27 15:48:19 EDT
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/f7fe28c33efeee39c659fb7baf0532b5e6c1ed83
Bug 1271767 - /oauth/authorize not found while following documentation setup

https://github.com/openshift/openshift-docs/commit/148285f594e07278ed26c72aab16aa550d726003
Merge pull request #1107 from brenton/BZ1271767

Bug 1271767 - /oauth/authorize not found while following documentatio…
Comment 12 Alex Dellapenta 2015-10-27 15:53:31 EDT
Merged https://github.com/openshift/openshift-docs/pull/1107

Labeled it to_followup for minor markup cleanup.
Comment 13 Vikram Goyal 2015-12-07 22:44:11 EST
This fix is now live: https://docs.openshift.com/enterprise/3.0/admin_guide/configuring_authentication.html.

Moving this bug to CLOSED-->CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.