Bug 1909690

We did not have time to fix this issue this sprint. Will reevaluate and try to fix in next sprint.

Working on fixing this issue currently.

I wasn't able to reproduce the issue in 4.7.0-0.nightly-2021-01-17-211555 cluster, both for kubeadmin and regular user  created via htpasswd.

For both I've seen the "Unauthorized" message after I've logged out.

"Error: You must be logged in to the server (Unauthorized)"

The report was not well/clear described for audiences that are not familiar with it.

Below re-describes it:

Description of problem:
The 4.7 MSTR-1130 story doc https://github.com/openshift/enhancements/blob/master/enhancements/authentication/allow-users-to-manage-their-own-tokens.md says: the release notes must mention the deprecation of the system:oauth-token-deleters clusterrolebinding and its removal in 4.n+1... Any other self-management of tokens ... should happen by using the new useroauthaccesstoken ... In 4.n+1, the system:oauth-token-deleters clusterrolebinding will be deleted

Thus, for one thing announced as deprecated in current pre-release (and to be deleted in next release), we need ensure nothing is broken in case it is deleted. But it makes logout broken per below steps.

Steps to Reproduce:
1.
$ oc get clusterrolebinding system:oauth-token-deleters -o yaml > clusterrolebinding_system_oauth-token-deleters.bak.yaml
$ oc delete clusterrolebinding system:oauth-token-deleters

2. Login to web console with normal user testuser-41, and remember the oauthaccesstoken:
$ oc get oauthaccesstoken
sha256~MvIjfsu5VS8c4w6ENFkVDWSS4ISbUAWqNCvBOB-BVn8   testuser-41   console       2021-01-19T10:12:43Z   2021-01-20 10:12:43 +0000 UTC   https://console-openshift-console.apps..../auth/callback   user:full

3. Open browser debugging console (in Firefox open it via Ctrl+Shift+K) to watch requests in its "Network" tab, then log out from web console. In "Network" tab, copy the token from "Cookie: openshift-session-token=sha256~Hh-yBhK..."

4. After logged out, check if it is still valid:

And check if corrresponding oauthaccesstoken still exists.

Actual results:
4. Still valid:
$ oc login --token sha256~Hh-yBhK... --kubeconfig new.kubeconfig --server `oc whoami --show-server`
Logged into "https://...:6443" as "testuser-41" using the token provided.
$ oc get oauthaccesstoken
sha256~MvIjfsu5VS8c4w6ENFkVDWSS4ISbUAWqNCvBOB-BVn8   testuser-41   console       2021-01-19T10:12:43Z   2021-01-20 10:12:43 +0000 UTC   https://console-openshift-console.apps..../auth/callback   user:full

Expected results:
4. The cause is, after clusterrolebinding/system:oauth-token-deleters is deleted, the logout loses authorization to delete the oauth token.
We need fix in favor of useroauthaccesstoken during logout as per above story doc. No matter oc logout or web console logout etc. oc has separate bug.

Based on the description this is an 4.8 issue, not 4.7.
Moving since the `oc` itself will deal with the change of the endpoint in 4.8 as well - https://bugzilla.redhat.com/show_bug.cgi?id=1909153

we decided not to pursue this direction - https://github.com/openshift/enhancements/pull/591

This issue is recreated on OCP 4.9. I log on to OpenShift UI, I save the token from the cookie (visible in Browser developer tool), I click logout button to log out. I still can log in successfully using oc login command with the saved token.

OpenShift has moved to Jira for its defect tracking! This bug can now be found in the OCPBUGS project in Jira.

https://issues.redhat.com/browse/OCPBUGS-8825