Bug 1727983 - Challenge based CLI auth is not enabled for keycloak IDP
Summary: Challenge based CLI auth is not enabled for keycloak IDP
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.0
Assignee: Standa Laznicka
QA Contact: pmali
: 1745533 1833206 (view as bug list)
Depends On: 1745533
TreeView+ depends on / blocked
Reported: 2019-07-08 17:49 UTC by Justin Pierce
Modified: 2020-07-13 17:11 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The cluster authentication operator was always disabling challenge authentication flows for any OIDC identity provider. Consequence: Even though an OIDC identity provider is capable of handling direct password logins and thus CLI login with `oc` would be possible, this was not honored. Fix: When OIDC identity provider is configured, the authentication operator checks whether it allows for Resource Owner Password Credentials grant and allows challenge-based login if it does. Result: It is now possible to use CLI when trying to log in to OIDC identity providers that allow the Resource Owner Password Credentials authorization grant.
Clone Of:
: 1745533 (view as bug list)
Last Closed: 2020-07-13 17:11:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 248 None closed Bug 1727983: OIDC IdPs: allow challenge flows if OIDC server advertises password grants 2020-09-21 16:51:19 UTC
Red Hat Product Errata RHBA-2020:2409 None None None 2020-07-13 17:11:19 UTC

Description Justin Pierce 2019-07-08 17:49:35 UTC
Description of problem:
In OCP 3.x, setting challenge=true for keycloak based OpenID IDP allowed users to use `oc login -u <> -p <>` from the CLI. This behavior has been changed in 4.x and challenge can no longer be specified (top level config does not expose the option). 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure keycloak backend with OpenID oauth.config.openshift.io
2. Attempt to login with valid keycloak username/password from the command line via oc

Actual results:
The user is unable to authenticate via keycloak.

Expected results:
If the OpenID backend supports it, allow this form of authentication.

Comment 3 Stefan Schimanski 2019-08-26 12:45:07 UTC
*** Bug 1745533 has been marked as a duplicate of this bug. ***

Comment 10 Standa Laznicka 2020-02-21 12:22:43 UTC
Justin, if you could possibly help me test the PR that is referenced in thiz BZ so that we make sure it works for you, that'd be awesome.

Comment 11 Justin Pierce 2020-02-21 13:53:14 UTC
Standa - if we can get an image with the fix in it, the DPCR team should be able to install it on a staging starter cluster. Brad Williams is the team lead.

Comment 13 Standa Laznicka 2020-05-13 07:25:27 UTC
*** Bug 1833206 has been marked as a duplicate of this bug. ***

Comment 20 errata-xmlrpc 2020-07-13 17:11:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.