1274997 – infinite 401 unauthorized loop when trying to login

Bug 1274997 - infinite 401 unauthorized loop when trying to login

Summary: infinite 401 unauthorized loop when trying to login

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	3.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Fabiano Franz
QA Contact:	Wei Sun
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-24 18:35 UTC by Erik M Jacobs
Modified:	2015-11-23 14:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:	atomic-openshift-3.0.2.903-0.git.28.232fec6.el7aos
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-23 14:26:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Erik M Jacobs 2015-10-24 18:35:56 UTC

[joe@ose3-master ~]$ oc version
oc v3.0.2.903
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4

atomic-openshift-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-clients-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-master-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-node-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
atomic-openshift-sdn-ovs-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64
tuned-profiles-atomic-openshift-node-3.0.2.903-0.git.0.a4ff36b.el7aos.x86_64

[joe@ose3-master ~]$ oc login -u joe -p redhat --certificate-authority=/etc/origin/master/ca.crt --server=https://ose3-master.example.com:8443 --loglevel=8                                             [1045/4640]
I1024 14:29:18.537688   12027 debugging.go:99] GET https://ose3-master.example.com:8443/
I1024 14:29:18.537738   12027 debugging.go:106] Request Headers:
I1024 14:29:18.537742   12027 debugging.go:109]     User-Agent: oc/v3.0.2.903 (linux/amd64) openshift/a4ff36b
I1024 14:29:18.553664   12027 debugging.go:124] Response Status: 200 OK in 15 milliseconds
I1024 14:29:18.553687   12027 debugging.go:127] Response Headers:
I1024 14:29:18.553691   12027 debugging.go:130]     Content-Type: application/json
I1024 14:29:18.553695   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.553698   12027 debugging.go:130]     Content-Length: 196
I1024 14:29:18.553717   12027 request.go:777] Response Body: {
  "paths": [
    "/api",
    "/api/v1",
    "/controllers",
    "/healthz",
    "/healthz/ping",
    "/logs/",
    "/metrics",
    "/ready",
    "/oapi",
    "/oapi/v1",
    "/swaggerapi/"
  ]
}
I1024 14:29:18.553979   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.553987   12027 debugging.go:106] Request Headers:
I1024 14:29:18.553990   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.555529   12027 debugging.go:124] Response Status: 401 Unauthorized in 1 milliseconds
I1024 14:29:18.555551   12027 debugging.go:127] Response Headers:
I1024 14:29:18.555558   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.555561   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.555565   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.555569   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.555619   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.555624   12027 debugging.go:106] Request Headers:
I1024 14:29:18.555627   12027 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:29:18.555630   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.556814   12027 debugging.go:124] Response Status: 401 Unauthorized in 1 milliseconds
I1024 14:29:18.556825   12027 debugging.go:127] Response Headers:
I1024 14:29:18.556829   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.556833   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.556836   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.556839   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.556872   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.556877   12027 debugging.go:106] Request Headers:
I1024 14:29:18.556880   12027 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:29:18.556883   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.557729   12027 debugging.go:124] Response Status: 401 Unauthorized in 0 milliseconds
I1024 14:29:18.557738   12027 debugging.go:127] Response Headers:
I1024 14:29:18.557742   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.557745   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.557749   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.557752   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.557779   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.557783   12027 debugging.go:106] Request Headers:
I1024 14:29:18.557786   12027 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:29:18.557789   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.558646   12027 debugging.go:124] Response Status: 401 Unauthorized in 0 milliseconds
I1024 14:29:18.558656   12027 debugging.go:127] Response Headers:
I1024 14:29:18.558660   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.558664   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.558667   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.558677   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.558697   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.558701   12027 debugging.go:106] Request Headers:
I1024 14:29:18.558704   12027 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:29:18.558707   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.559406   12027 debugging.go:124] Response Status: 401 Unauthorized in 0 milliseconds
I1024 14:29:18.559416   12027 debugging.go:127] Response Headers:
I1024 14:29:18.559419   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.559423   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.559426   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.559429   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.559456   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.559460   12027 debugging.go:106] Request Headers:
I1024 14:29:18.559463   12027 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:29:18.559466   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.560022   12027 debugging.go:124] Response Status: 401 Unauthorized in 0 milliseconds
I1024 14:29:18.560031   12027 debugging.go:127] Response Headers:
I1024 14:29:18.560035   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.560039   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.560042   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.560045   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.560070   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.560075   12027 debugging.go:106] Request Headers:
I1024 14:29:18.560078   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.560081   12027 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:29:18.560631   12027 debugging.go:124] Response Status: 401 Unauthorized in 0 milliseconds
I1024 14:29:18.560640   12027 debugging.go:127] Response Headers:
I1024 14:29:18.560643   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.560647   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.560650   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.560654   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.560678   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1024 14:29:18.560682   12027 debugging.go:106] Request Headers:
I1024 14:29:18.560685   12027 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:29:18.560688   12027 debugging.go:109]     X-Csrf-Token: 1
I1024 14:29:18.561225   12027 debugging.go:124] Response Status: 401 Unauthorized in 0 milliseconds
I1024 14:29:18.561234   12027 debugging.go:127] Response Headers:
I1024 14:29:18.561237   12027 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1024 14:29:18.561241   12027 debugging.go:130]     Date: Sat, 24 Oct 2015 18:29:18 GMT
I1024 14:29:18.561245   12027 debugging.go:130]     Content-Length: 0
I1024 14:29:18.561248   12027 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1024 14:29:18.561275   12027 debugging.go:99] GET https://ose3-master.example.com:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
.....


Older OC works, sort-of:

oc v3.0.1.0-503-g7cc6deb
kubernetes v1.0.0

[thoraxe@t440 ~]$ oc login https://ose3-master.example.com:8443 --loglevel=8
I1024 14:33:03.586116   17110 debugging.go:98] GET https://ose3-master.example.com:8443/osapi
I1024 14:33:03.586174   17110 debugging.go:105] Request Headers:
I1024 14:33:03.586182   17110 debugging.go:108]     User-Agent: oc/v3.0.1.0 (linux/amd64) openshift/7cc6deb
I1024 14:33:03.602746   17110 debugging.go:123] Response Status:  in 16 milliseconds
I1024 14:33:03.602775   17110 debugging.go:126] Response Headers:
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Username: joe
I1024 14:33:06.252116   17110 debugging.go:98] GET https://ose3-master.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token
I1024 14:33:06.252128   17110 debugging.go:105] Request Headers:
I1024 14:33:06.252132   17110 debugging.go:108]     X-Csrf-Token: 1
I1024 14:33:06.269955   17110 debugging.go:123] Response Status: 401 Unauthorized in 17 milliseconds
I1024 14:33:06.269971   17110 debugging.go:126] Response Headers:
I1024 14:33:06.269985   17110 debugging.go:129]     Www-Authenticate: Basic realm="openshift"
I1024 14:33:06.269989   17110 debugging.go:129]     Date: Sat, 24 Oct 2015 18:33:05 GMT
I1024 14:33:06.269993   17110 debugging.go:129]     Content-Length: 0
I1024 14:33:06.269996   17110 debugging.go:129]     Content-Type: text/plain; charset=utf-8
Authentication required for https://ose3-master.example.com:8443 (openshift)
Password: 
I1024 14:33:08.468086   17110 debugging.go:98] GET https://ose3-master.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&response_type=token
I1024 14:33:08.468096   17110 debugging.go:105] Request Headers:
I1024 14:33:08.468100   17110 debugging.go:108]     X-Csrf-Token: 1
I1024 14:33:08.468106   17110 debugging.go:108]     Authorization: Basic am9lOnJlZGhhdA==
I1024 14:33:08.468986   17110 debugging.go:123] Response Status: 401 Unauthorized in 0 milliseconds
I1024 14:33:08.469000   17110 debugging.go:126] Response Headers:
I1024 14:33:08.469004   17110 debugging.go:129]     Date: Sat, 24 Oct 2015 18:33:07 GMT
I1024 14:33:08.469008   17110 debugging.go:129]     Content-Length: 0
I1024 14:33:08.469011   17110 debugging.go:129]     Content-Type: text/plain; charset=utf-8
I1024 14:33:08.469015   17110 debugging.go:129]     Www-Authenticate: Basic realm="openshift"
I1024 14:33:08.469025   17110 request.go:777] Response Body: 
I1024 14:33:08.469040   17110 request.go:834] Response Body: 
Login failed (401 Unauthorized)

So, definitely we should be unauthorized, but the infinite loop is... not good.

Comment 2 Fabiano Franz 2015-10-25 00:39:53 UTC

This was fixed in Origin yesterday (https://bugzilla.redhat.com/show_bug.cgi?id=1273623), waiting for a new OSE build.

Comment 4 Wei Sun 2015-10-26 05:34:43 UTC

Now there are no infinite loops,so verify this bug.

$ oc version
oc v3.0.2.903-29-g49953d6
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4


$ oc login --server=localhost:8443 --loglevel=8 
I1026 13:24:58.972504   24589 debugging.go:99] GET https://localhost:8443/
I1026 13:24:58.972573   24589 debugging.go:106] Request Headers:
I1026 13:24:58.972586   24589 debugging.go:109]     User-Agent: oc/v3.0.2.903 (linux/amd64) openshift/49953d6
I1026 13:24:59.006218   24589 debugging.go:124] Response Status:  in 33 milliseconds
I1026 13:24:59.006258   24589 debugging.go:127] Response Headers:
I1026 13:24:59.006398   24589 debugging.go:99] GET https://localhost:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1026 13:24:59.006415   24589 debugging.go:106] Request Headers:
I1026 13:24:59.006425   24589 debugging.go:109]     X-Csrf-Token: 1
I1026 13:24:59.066322   24589 debugging.go:124] Response Status: 401 Unauthorized in 59 milliseconds
I1026 13:24:59.066367   24589 debugging.go:127] Response Headers:
I1026 13:24:59.066379   24589 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1026 13:24:59.066391   24589 debugging.go:130]     Date: Mon, 26 Oct 2015 05:25:05 GMT
I1026 13:24:59.066400   24589 debugging.go:130]     Content-Length: 0
I1026 13:24:59.066410   24589 debugging.go:130]     Content-Type: text/plain; charset=utf-8
Authentication required for https://localhost:8443 (openshift)
Username: joe
Password: 
I1026 13:25:08.313810   24589 debugging.go:99] GET https://localhost:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1026 13:25:08.313849   24589 debugging.go:106] Request Headers:
I1026 13:25:08.313868   24589 debugging.go:109]     X-Csrf-Token: 1
I1026 13:25:08.313887   24589 debugging.go:109]     Authorization: Basic am9lOnJlZGhhdA==
I1026 13:25:08.316699   24589 debugging.go:124] Response Status: 401 Unauthorized in 2 milliseconds
I1026 13:25:08.316764   24589 debugging.go:127] Response Headers:
I1026 13:25:08.316787   24589 debugging.go:130]     Content-Length: 0
I1026 13:25:08.316808   24589 debugging.go:130]     Content-Type: text/plain; charset=utf-8
I1026 13:25:08.316829   24589 debugging.go:130]     Www-Authenticate: Basic realm="openshift"
I1026 13:25:08.316850   24589 debugging.go:130]     Date: Mon, 26 Oct 2015 05:25:14 GMT
I1026 13:25:08.316931   24589 basicauth.go:42] already prompted for challenge, won't prompt again
Login failed (401 Unauthorized)

Comment 5 Brenton Leanhardt 2015-11-23 14:26:11 UTC

This fix is available in OpenShift Enterprise 3.1.

Note You need to log in before you can comment on or make changes to this bug.