Bug 1671604 - `oc login` should prompt messages for how to generate a token with challenge=false for identity provider
Summary: `oc login` should prompt messages for how to generate a token with challenge=...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.0
Assignee: Venkata Siva Teja Areti
QA Contact: scheng
Depends On:
Blocks: 1781083
TreeView+ depends on / blocked
Reported: 2019-02-01 03:25 UTC by Chuan Yu
Modified: 2020-05-04 11:13 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: the bootstrap user introduced in OpenShift 4.1 internally made CLI login flow always available Consequence: the message about how to retrieve authentication token, which was there in 3.x OpenShift versions, no longer appeared for users that tried to log in from CLI in cases where only web-browser flows were configured Fix: do not configure bootstrap user IdP when it is disabled by the user Result: after the bootstrap IdP gets disabled by following the steps from the official documentation, the message about how to retrieve login token in web-login-only scenarios gets displayed once again
Clone Of:
: 1781083 (view as bug list)
Last Closed: 2020-05-04 11:12:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 218 0 'None' closed Bug 1671604: redeploy oauth server deployment if bootstrap user is disabled 2020-09-11 07:38:18 UTC
Github openshift library-go pull 633 0 'None' closed [release-4.3] Bug 1781083: Added api to check if bootstrap user is enabled 2020-09-11 07:38:17 UTC
Github openshift oauth-server pull 26 0 None closed Bug 1671604: Add bootstrap idp only when bootstrap user is enabled 2020-09-11 07:38:17 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:13:13 UTC

Description Chuan Yu 2019-02-01 03:25:18 UTC
Description of problem:
Configured challenge=false for identity provider, when run `oc login` should prompt how to generate a token but not prompt input user/password

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.nightly-2019-01-30-174704   True        False         19h       Cluster version is 4.0.0-0.nightly-2019-01-30-174704

How reproducible:

Steps to Reproduce:
1.Configured challenge=false for Google identity provider
2.run `oc login --server=***` from cli

Actual results:
There prompt to input user/password

Expected results:
Should prompt how to generate a token

Additional info:

Comment 1 Mo 2019-02-03 23:34:07 UTC
(Sorry Gabe, did not mean to tag you on this)

Comment 2 Mo 2019-02-03 23:47:56 UTC
Fixing this will require:

1. Address https://github.com/openshift/origin/blob/f4b9f88b0cda4dde61e1d7fa9b0b3baed03868fc/pkg/oauthserver/authenticator/password/bootstrap/bootstrap.go#L91-L96
2. Probably some finesse in the operator to track the permanently disabled state so it knows to restart the deplyoment
3. Maybe some special handling for kube:admin in https://github.com/openshift/origin/blob/610ba8d1797daeefc4d6baad0e0d56c836d39c0c/pkg/oauthserver/authenticator/challenger/placeholderchallenger/placeholder_challenger.go#L20-L33 (we can likely live without this if we go with the assumption that kube:admin will generally be disabled in production clusters)

Comment 3 Mo 2019-04-05 13:58:15 UTC
It will be terrible UX but we can live without this in 4.1

Comment 12 errata-xmlrpc 2020-05-04 11:12:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.