Description of problem: Configured challenge=false for identity provider, when run `oc login` should prompt how to generate a token but not prompt input user/password Version-Release number of selected component (if applicable): $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.nightly-2019-01-30-174704 True False 19h Cluster version is 4.0.0-0.nightly-2019-01-30-174704 How reproducible: always Steps to Reproduce: 1.Configured challenge=false for Google identity provider 2.run `oc login --server=***` from cli 3. Actual results: There prompt to input user/password Expected results: Should prompt how to generate a token Additional info:
(Sorry Gabe, did not mean to tag you on this)
Fixing this will require: 1. Address https://github.com/openshift/origin/blob/f4b9f88b0cda4dde61e1d7fa9b0b3baed03868fc/pkg/oauthserver/authenticator/password/bootstrap/bootstrap.go#L91-L96 2. Probably some finesse in the operator to track the permanently disabled state so it knows to restart the deplyoment 3. Maybe some special handling for kube:admin in https://github.com/openshift/origin/blob/610ba8d1797daeefc4d6baad0e0d56c836d39c0c/pkg/oauthserver/authenticator/challenger/placeholderchallenger/placeholder_challenger.go#L20-L33 (we can likely live without this if we go with the assumption that kube:admin will generally be disabled in production clusters)
It will be terrible UX but we can live without this in 4.1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581