Bug 1868324 - [MSTR-1019] oc logout fails to invalidate the token since the request deletes token value instead of oauthaccesstoken name
Summary: [MSTR-1019] oc logout fails to invalidate the token since the request deletes...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Maciej Szulik
QA Contact: pmali
Depends On:
Blocks: 1870667
TreeView+ depends on / blocked
Reported: 2020-08-12 10:22 UTC by Xingxing Xia
Modified: 2020-10-27 16:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-27 16:28:06 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift oc pull 521 0 None closed Bug 1868324: oc logout should make the token invalid 2020-12-18 10:35:55 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:28:21 UTC

Description Xingxing Xia 2020-08-12 10:22:44 UTC
Description of problem:
oc logout fails to invalidate the token since the request deletes token value instead of oauthaccesstoken name

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. oc login -u testuser-40 -p <password>
oc whoami -t

2. User cluster-admin to check oauthaccesstoken:
oc get oauthaccesstoken --context admin
NAME                                          USER NAME     CLIENT NAME                    CREATED                EXPIRES REDIRECT URI                                                                                  SCOPES
sha256~ejjC2dHfQHEjE-QcjwIif7lUwi4f-X4Z-...   testuser-40   openshift-challenging-client   2020-08-12T03:53:54Z   2020-08-13 03:53:54 +0000 UTC   https://oauth-openshift.apps..../oauth/token/implicit   user:full

3. oc logout
Logged "testuser-40" out on "https://api....:6443"

But checking ` oc whoami --token "sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_..." ` again, still shows testuser-40.
Checking `oc get oauthaccesstoken --context admin` again, `sha256~ejjC2dHfQHEjE-QcjwIif7lUwi4f-X4Z-...` still exists.

Checking oc logout --v 6, found the reason is, oc logout deletes token value instead of oauthaccesstoken name in the request:
DELETE https://api....:6443/apis/oauth.openshift.io/v1/oauthaccesstokens/sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_... 404 Not Found in 53 milliseconds
I0812 12:32:09.331192    6311 logout.go:127] oauthaccesstokens.oauth.openshift.io "sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_..." not found

Actual results:
3. oc logout didn't make the token deleted.

Expected results:
3. Should delete successfully. After `oc logout`, `oc whoami --token "sha256~m0fmhX15JljiPLUbwbOvYtSg4sIR6TGZv_..."` should show "error: You must be logged in to the server (Unauthorized)"

Additional info:

Comment 1 scheng 2020-08-17 08:25:25 UTC

Comment 4 Xingxing Xia 2020-08-21 03:12:54 UTC
Verified in:
$ oc version --client
Client Version: 4.6.0-0.nightly-2020-08-21-011653

Comment 6 errata-xmlrpc 2020-10-27 16:28:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.