Description of problem: In OCP 3.x, setting challenge=true for keycloak based OpenID IDP allowed users to use `oc login -u <> -p <>` from the CLI. This behavior has been changed in 4.x and challenge can no longer be specified (top level config does not expose the option). Version-Release number of selected component (if applicable): 4.1.4 How reproducible: 100% Steps to Reproduce: 1. Configure keycloak backend with OpenID oauth.config.openshift.io 2. Attempt to login with valid keycloak username/password from the command line via oc 3. Actual results: The user is unable to authenticate via keycloak. Expected results: If the OpenID backend supports it, allow this form of authentication.
Known TODO: https://github.com/openshift/cluster-authentication-operator/blob/7a385e712749728452e590d23e3414721078f90d/pkg/operator2/idp.go#L208
*** Bug 1745533 has been marked as a duplicate of this bug. ***
Justin, if you could possibly help me test the PR that is referenced in thiz BZ so that we make sure it works for you, that'd be awesome.
Standa - if we can get an image with the fix in it, the DPCR team should be able to install it on a staging starter cluster. Brad Williams is the team lead.
*** Bug 1833206 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409