Description of problem: For testing MSTR-1130, deleted system:oauth-token-deleters, then oc Management console logout fails to invalidate the token even if the request deletes oauthaccesstoken tokenname Version-Release number of selected component (if applicable): 4.7.0-0.nightly-2020-12-20-031835 How reproducible: always Steps to Reproduce: 1. Login to web console 2. Check `oc get oauthaccesstoken` 3. In web console, press F12, click "Network" tab, select the request and go to 'cookies' tab. Get the 'openshift-session-token'. then log out from web console. Check `oc get oauthaccesstoken` again. 4. On Cli, run oc whoami --token=<token>, Should not show username. 5, On cli, run oc login --token=<token>, should not login Actual results: Got token from broswer cookie : sha256~0sFP760XZXlWyEhZ-CRs2CDjCog13vuMqyQ******** On CLI : $ oc whoami --token=sha256~0sFP760XZXlWyEhZ-CRs2CDjCog13vuMqyQ******** testuser-44 Logout from Console. Can see openshift-session-token "" (blank) On CLI : $ oc whoami --token=sha256~0sFP760XZXlWyEhZ-CRs2CDjCog13vuMqyQ******** testuser-44 $ oc login --token=sha256~0sFP760XZXlWyEhZ-CRs2CDjCog13vuMqyQ******** Logged into "https://api...." as "testuser-44" using the token provided. Expected results: $ oc whoami --token=sha256~0sFP760XZXlWyEhZ-CRs2CDjCog13vuMqyQ******** error: You must be logged in to the server (Unauthorized) $ oc login --token=sha256~0sFP760XZXlWyEhZ-CRs2CDjCog13vuMqyQ******** error: You must be logged in to the server (Unauthorized) Additional info: In the logout (no matter oc or console or any other) should use useroauthaccesstoken instead of oauthaccesstoken due to the clusterrolebinding is deprecated and will be removed soon in next 4.8 version
We did not have time to fix this issue this sprint. Will reevaluate and try to fix in next sprint.
Working on fixing this issue currently.
I wasn't able to reproduce the issue in 4.7.0-0.nightly-2021-01-17-211555 cluster, both for kubeadmin and regular user created via htpasswd. For both I've seen the "Unauthorized" message after I've logged out. "Error: You must be logged in to the server (Unauthorized)"
The report was not well/clear described for audiences that are not familiar with it.
Below re-describes it: Description of problem: The 4.7 MSTR-1130 story doc https://github.com/openshift/enhancements/blob/master/enhancements/authentication/allow-users-to-manage-their-own-tokens.md says: the release notes must mention the deprecation of the system:oauth-token-deleters clusterrolebinding and its removal in 4.n+1... Any other self-management of tokens ... should happen by using the new useroauthaccesstoken ... In 4.n+1, the system:oauth-token-deleters clusterrolebinding will be deleted Thus, for one thing announced as deprecated in current pre-release (and to be deleted in next release), we need ensure nothing is broken in case it is deleted. But it makes logout broken per below steps. Steps to Reproduce: 1. $ oc get clusterrolebinding system:oauth-token-deleters -o yaml > clusterrolebinding_system_oauth-token-deleters.bak.yaml $ oc delete clusterrolebinding system:oauth-token-deleters 2. Login to web console with normal user testuser-41, and remember the oauthaccesstoken: $ oc get oauthaccesstoken sha256~MvIjfsu5VS8c4w6ENFkVDWSS4ISbUAWqNCvBOB-BVn8 testuser-41 console 2021-01-19T10:12:43Z 2021-01-20 10:12:43 +0000 UTC https://console-openshift-console.apps..../auth/callback user:full 3. Open browser debugging console (in Firefox open it via Ctrl+Shift+K) to watch requests in its "Network" tab, then log out from web console. In "Network" tab, copy the token from "Cookie: openshift-session-token=sha256~Hh-yBhK..." 4. After logged out, check if it is still valid: And check if corrresponding oauthaccesstoken still exists. Actual results: 4. Still valid: $ oc login --token sha256~Hh-yBhK... --kubeconfig new.kubeconfig --server `oc whoami --show-server` Logged into "https://...:6443" as "testuser-41" using the token provided. $ oc get oauthaccesstoken sha256~MvIjfsu5VS8c4w6ENFkVDWSS4ISbUAWqNCvBOB-BVn8 testuser-41 console 2021-01-19T10:12:43Z 2021-01-20 10:12:43 +0000 UTC https://console-openshift-console.apps..../auth/callback user:full Expected results: 4. The cause is, after clusterrolebinding/system:oauth-token-deleters is deleted, the logout loses authorization to delete the oauth token. We need fix in favor of useroauthaccesstoken during logout as per above story doc. No matter oc logout or web console logout etc. oc has separate bug.
Based on the description this is an 4.8 issue, not 4.7. Moving since the `oc` itself will deal with the change of the endpoint in 4.8 as well - https://bugzilla.redhat.com/show_bug.cgi?id=1909153
we decided not to pursue this direction - https://github.com/openshift/enhancements/pull/591
This issue is recreated on OCP 4.9. I log on to OpenShift UI, I save the token from the cookie (visible in Browser developer tool), I click logout button to log out. I still can log in successfully using oc login command with the saved token.
OpenShift has moved to Jira for its defect tracking! This bug can now be found in the OCPBUGS project in Jira. https://issues.redhat.com/browse/OCPBUGS-8825