Hide Forgot
Description of problem: User create two Oauth Identities with same name, the 2nd one should not be created successfully Version-Release number of selected component (if applicable): 4.0.0-0.nightly-2019-04-03-202419 How reproducible: Always Steps to Reproduce: 1. Cluster-admin user login on OAuth page and create an OpenID identities using Gitlab: 1) Add application on setting page: https://gitlab.com/profile/applications Fill in the Redirect URI: https://<$ oc get route -n openshift-authentication> + /oauth2callback/ + <openId name such as openid-xiaocwan> Get the ClientID and ClientSecret 2) On "Add Identity Provider: OpenID Connect" page: Fill in the Name as the openid-xiaocwan Fill in the ClientID and ClientSecret copied from Gitlab. Fill in Issuer URL 'https://gitlab.com' 2. Create and wait for the pod ($ oc get pod -n openshift-authentication) succeed. 3. Repeat above steps and create another identity with same name (openid-xiaocwan) Actual results: 3. Create successfully. The pods under openshift-authentication is CrashLoopBackOff until the first identity deleted. Expected results: 3. Console should block the creation for the duplicated identity. Additional info: Htpasswd also reproduces. oc logs openshift-authentication-5865bb76-w6v7z -n openshift-authentication Command "openshift-osinserver" is deprecated, will be removed in 4.0 panic: http: multiple registrations for /login/htpasswdtest goroutine 1 [running]: net/http.(*ServeMux).Handle(0xc421a474d0, 0xc421a7c0a0, 0x13, 0xb4056e0, 0xc4206bdb80) /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/net/http/server.go:2356 +0x239 net/http.(*ServeMux).HandleFunc(0xc421a474d0, 0xc421a7c0a0, 0x13, 0xc4206bdb80) /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/net/http/server.go:2371 +0x55 github.com/openshift/origin/pkg/oauthserver/server/login.(*Login).Install(0xc420bf4340, 0xb41fa20, 0xc421a474d0, 0xc420ecce58, 0x1, 0x1) /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/oauthserver/server/login/login.go:98 +0x57 github.com/openshift/origin/pkg/oauthserver/oauthserver.(*OAuthServerConfig).getAuthenticationHandler(0xc42135d680, 0xb41fa20, 0xc421a474d0, 0xb3f7bc0, 0xc4206bda50, 0x523fd20, 0xc4206bda50, 0xb3f7c00, 0xc4204a4f40)
Changing component to Auth since the validation needs to happen on the backend. Otherwise it would be possible to create duplicate names from other clients.
Should be handled as part of OAuth CRD validation: https://github.com/openshift/origin/pull/21922
*** Bug 1677587 has been marked as a duplicate of this bug. ***
Function is acceptable, will move it to Verified. Duplicated name for identity provider is not allowed to be created on console. It behave correctly on both htpasswd and OpenId with Gitlab. Only the slightly change now is the new creating OpenId page will open as an edit view but it does create a new one. But I assume here is a new issue for OpenId creating page when there is already one: The values of ClientID and ClientSecret should better to be cleared when creating the 2nd one, otherwise the existing one still match the previous callback url and it won't work for the new Identity Provider name. User need to remove both values sooner or later. Tested on Cluster version: 4.1.0-rc.3 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e6dd4bf3fdb483a93d6e84a5574e0f2514cb1cbf1b4407e52e6c94fd66e3648d Commit ID: https://github.com/openshift/console/commit/d8fc460a3d0e9f8de3d14373de8f36ba09103537
(In reply to Samuel Padgett from comment #2) > Changing component to Auth since the validation needs to happen on the > backend. Otherwise it would be possible to create duplicate names from other > clients.
Moving back to console since the issue being mentioned is specific to the UI. I do think we should just close this BZ and make a new one.
(In reply to XiaochuanWang from comment #9) > > But I assume here is a new issue for OpenId creating page when there is > already one: > The values of ClientID and ClientSecret should better to be cleared when > creating the 2nd one, otherwise the existing one still match the previous > callback url and it won't work for the new Identity Provider name. User need > to remove both values sooner or later. I'm not sure I understand what the issue is. Can you give specific steps to reproduce? This sounds like it should be a different bug, however.
Agree to move it to Verified since the duplicated name failed to created since the issue now is specific to console. Tested on Cluster version: 4.1.0-rc.3 image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e6dd4bf3fdb483a93d6e84a5574e0f2514cb1cbf1b4407e52e6c94fd66e3648d Commit ID: https://github.com/openshift/console/commit/d8fc460a3d0e9f8de3d14373de8f36ba09103537
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758