Description of problem: When setting OpenID with extra parameters (include_granted_scopes: "true") within the ansible inventory file (using variable openshift_master_identity_providers), the "true" value is taken as true (without quotes) as outcome. This causes Openshift does not retrieve all the sub fields for the users. As a test, when you set it manually within the master-config.yaml with the proper format (include_granted_scopes: "true", enclosed between double quotes), it works: ############################################### identityProviders: - challenge: false login: true mappingMethod: claim name: companyokta provider: apiVersion: v1 claims: email: - email id: - sub name: - name preferredUsername: - preferred_username clientID: xxx clientSecret: xxx extraAuthorizeParameters: include_granted_scopes: "true" kind: OpenIDIdentityProvider urls: authorize: https://<url>.com/oauth2/v1/authorize token: https://<url>.com/oauth2/v1/token userInfo: https://<url>.com/oauth2/v1/userinfo ############################################### Version-Release number of the following components: rpm -q openshift-ansible rpm -q ansible ansible --version How reproducible: 100% Steps to Reproduce: 1. Set openshift_master_identity_providers as follows: ############################################### openshift_master_identity_providers=[{"name": "companyokta", "login": "true", "challenge": "false", "mappingMethod": "claim", "kind": "OpenIDIdentityProvider", "client_id": "xxx", "client_secret": "xxx", "extraAuthorizeParameters" : {"include_granted_scopes": "true"}, "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://<url>.com/oauth2/v1/authorize", "token": "https://<url>.com/oauth2/v1/token", "userInfo": "https://<url>.com/oauth2/v1/userinfo"} }] ############################################### 2. Run the installer Actual results: ➜ ~ oc get identities NAME IDP NAME IDP USER NAME USER NAME USER UID companyokta:00u11e13mwxxxxxx companyokta 00u11e13mwNM1xxxxxx myemailaddress.uk 4380c342-7603-11e7-bb8b-xxxxxx companyokta:00u14da2xxxxxxxx companyokta 00u14da2dbitr4xxxxxx 00u14da2xxxxxxx43TR0i7 8999013b-8e30-11e7-a0e2-xxxxx On the first line, under USER NAME, you see the email of the user authenticated for the first time while openshift had the right configuration ("true" with quotes). On the second line you see instead another user authenticated using the configuration provisioned by ansible (true without quotes). Expected results: OCP to recognize true (without double quotes) as a proper value for the include_granted_scopes variable. Additional info: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master_facts/filter_plugins/openshift_master.py#L383-L386
I believe this was already fixed here https://github.com/openshift/openshift-ansible/pull/2896
Created attachment 1322402 [details] Patch for include_granted_scopes
> OCP to recognize true (without double quotes) as a proper value for the include_granted_scopes variable This is not possible as it would require a breaking API change, and in general is incorrect (it is a map of string to string with no meaning to OpenShift, and thus OpenShift should not try to interpret it in any way and must simply pass it along). I am surprised that it does not raise an error such as "unrecognized type: string" though (this is what you get if you try to put a bool in a string field). https://github.com/openshift/openshift-ansible/pull/2896 needs to be updated to fix the ansible error.
(In reply to Mo from comment #4) > > https://github.com/openshift/openshift-ansible/pull/2896 needs to be updated > to fix the ansible error. Not sure which ansible error you have in mind but I gave it a try with https://github.com/openshift/openshift-ansible/pull/5350 now.
I do not understand why ansible needs to do anything special here at all. The value is a string, so why are we parsing it and then turning it back into a string? Why not simply pass it through?
The patch doesn't apply to master. I'll rebase it and open a new PR.
PR: https://github.com/openshift/openshift-ansible/pull/5364 PTAL
There is an alternate PR at https://github.com/openshift/openshift-ansible/pull/5350
We're running with https://github.com/openshift/openshift-ansible/pull/5350 as the PR of choice.
The PR was merged but I'm not happy with the result -- please see https://github.com/openshift/openshift-ansible/issues/2454#issuecomment-329101226 and subsequent comments.
Third PR option opened: https://github.com/openshift/openshift-ansible/pull/5427
Verify this bug with openshift-ansible-3.7.0-0.128.0.git.0.89dcad2.el7.noarch.rpm With the following option set in ansible inventory file: openshift_master_identity_providers=[{"name": "companyokta", "login": "true", "challenge": "false", "mappingMethod": "claim", "kind": "OpenIDIdentityProvider", "client_id": "xxx", "client_secret": "xxx", "extraAuthorizeParameters" : {"include_granted_scopes": "true"}, "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://test.com/oauth2/v1/authorize", "token": "https://test.com/oauth2/v1/token", "userInfo": "https://test.com/oauth2/v1/userinfo"} }] After installation, check master config file: oauthConfig: ... extraAuthorizeParameters: include_granted_scopes: 'true' When installing env with an early version - openshift-ansible-3.7.0-0.126.0.git.0.33d254a.el7.noarch.rpm, it's configured as: oauthConfig: ... extraAuthorizeParameters: include_granted_scopes: true And master service failed to start due to "Invalid MasterConfig /etc/origin/master/master-config.yaml". So move this bug to verified.
Added doc text
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188