Bug 1493903 - [hNhBstvg] accessTokenMaxAgeSeconds in oauthclient not override the master default
Summary: [hNhBstvg] accessTokenMaxAgeSeconds in oauthclient not override the master de...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.7.0
Assignee: Jordan Liggitt
QA Contact: Chuan Yu
URL:
Whiteboard:
: 1461011 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-21 07:11 UTC by Chuan Yu
Modified: 2021-03-11 15:49 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-28 22:12:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Chuan Yu 2017-09-21 07:11:39 UTC 
Description of problem:
Configured accessTokenMaxAgeSeconds in oauthclient, but it not override the default value in master-config.yaml

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.7.0-0.126.6
kubernetes v1.7.0+80709908fd
etcd 3.2.1

How reproducible:
always

Steps to Reproduce:
1.Make sure the accessTokenMaxAgeSeconds field configured in the oauthclient openshift-browser-client
# oc edit oauthclients openshift-browser-client

configured accessTokenMaxAgeSeconds to 0 or any other integer number
2.Try to request a token with the oauthclient openshift-browser-client from web console
3.Check the token expiration time
# oc get oauthaccesstoken

Actual results:
The accesstoken expires time still the master default configuration

Expected results:
The accessTokenMaxAgeSeconds field configured in the oauthclient should override the master default configuration

Additional info:
When configured accessTokenMaxAgeSeconds to 0 for openshift-browser-client,

# oc get oauthaccesstoken
NAME                                          USER NAME   CLIENT NAME                CREATED                         EXPIRES                         REDIRECT URI                                                                                       SCOPES
h4K_FkJANGmKtb4kLeTLMcjIylBD-lxSdGeB5OTRdbg   chuyu       openshift-browser-client   2017-09-21 02:38:22 -0400 EDT   2017-09-22 02:38:22 -0400 EDT   https://<master_url>:8443/oauth/token/display   user:full
Comment 1 Mo 2017-09-21 13:50:15 UTC 
The version of OpenShift you are running does not have this change, it is only in the latest master.
Comment 2 Chuan Yu 2017-09-22 04:27:27 UTC 
With the latest build v3.7.0-0.127.0, the issue still exist.
Comment 3 Jordan Liggitt 2017-09-22 14:36:34 UTC 
Looks like the code flow (used by /oauth/token/request) assigns expiration times via a different path. Implicit flows (used by CLI) assign the expiration as expected.

Will fix and add a test case
Comment 4 Jordan Liggitt 2017-09-23 05:44:43 UTC 
Fixed in https://github.com/openshift/origin/pull/16520
Comment 6 zhou ying 2017-09-28 06:48:53 UTC 
Verified with the latest OCP , the issue has fixed:
openshift version
openshift v3.7.0-0.131.0
kubernetes v1.7.0+80709908fd
etcd 3.2.1

oc get oauthclients openshift-browser-client -o yaml 
accessTokenMaxAgeSeconds: 600
apiVersion: v1
grantMethod: auto
kind: OAuthClient
metadata:
  creationTimestamp: 2017-09-28T05:58:31Z
  name: openshift-browser-client
  resourceVersion: "6236"
  selfLink: /oapi/v1/oauthclients/openshift-browser-client
  uid: 0e7938db-a412-11e7-8658-fa163e17f4a6
redirectURIs:
- https://xxxxx:8443/oauth/token/display
secret: 5131e8de-a3f1-49da-af26-6993599ce66e


[root@host-8-241-76 ~]# oc get oauthaccesstoken |grep ge
y06OiQ91U2wRL2LUmWbQzgE1l3y-WMfyeB1Kc4XHsS4   geliu       openshift-browser-client       2017-09-28 02:45:43 -0400 EDT   2017-09-28 02:55:43 -0400 EDT   https://xxxxx:8443/oauth/token/display    user:full
Comment 10 errata-xmlrpc 2017-11-28 22:12:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188
Comment 11 knewcomer 2019-05-18 21:06:36 UTC 
*** Bug 1461011 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.