Bug 1308843 - [DOCS][platformmanagment_public_612]Better to remind user in documentation to grant third-party access to organization info when using GithubIdentityProvider
[DOCS][platformmanagment_public_612]Better to remind user in documentation to...
Status: NEW
Product: OpenShift Origin
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Alex Dellapenta
Xingxing Xia
Vikram Goyal
Depends On:
  Show dependency treegraph
Reported: 2016-02-16 04:28 EST by Xingxing Xia
Modified: 2017-08-07 23:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Later login would fail If the "Grant access" button is omitted at first time of login (27.73 KB, image/png)
2016-02-16 04:59 EST, Xingxing Xia
no flags Details

  None (edit)
Comment 1 Xingxing Xia 2016-02-16 04:59 EST
Created attachment 1127548 [details]
Later login would fail If the "Grant access" button is omitted at first time of login
Comment 2 Xingxing Xia 2016-02-16 04:59:31 EST
The reason is found: step 5.1, the first time of login with the new github account, I just clicked "Authorize application" button, but omitted "Grant access" button. Thus later login with that account always fails as the attachment shows.
But the shown error message "An authentication error occurred" is too simple. Could the message be more instructive? Because it takes some time (a bit painful) to find the reason is "Grant access" button omitted. Customer may be disappointed if he/she omits the button too at the first time of login.
Comment 3 Jordan Liggitt 2016-02-16 08:47:13 EST
Unfortunately, if an organization has not granted access, there is no way to detect that from the GitHub API (it just doesn't appear in the user's list of organizations). In the server logs, we do log the user's organization membership if they don't appear to be a member of the configured organization, which could be helpful in debugging.

I'd like to keep this open and convert it to a documentation bug, and we can call out the requirement specifically in the documentation.
Comment 4 Jordan Liggitt 2016-02-16 10:32:15 EST
According to GitHub, OAuth applications owned by the organization should automatically have access to the org info. In your tests, were you using an OAuth application owned by the organization you were using? I would expect that to be common, which should lessen the impact of this.

I also added a note to the GitHub IDP documentation in https://github.com/openshift/openshift-docs/pull/1600
Comment 5 Xingxing Xia 2016-02-16 22:06:07 EST
Good to convert to a documentation bug.
It is true applications owned by the organization have access to the org info. This would lessen the impact. While in my test, it was not that case.
Thank you.
Comment 6 Xingxing Xia 2016-02-17 01:08:25 EST
Code works well. Can login successfully with github accounts of the organizations specified in master config. So, according to comment 3 and https://github.com/openshift/openshift-docs/pull/1600, convert this bug to a documentation bug.

Note You need to log in before you can comment on or make changes to this bug.