Created attachment 1766265 [details] Error message actual result Description of problem: oauth/cluster error template customized messages take no effect Version-Release number of selected component (if applicable): $ oc version Client Version: 4.8.0-0.nightly-2021-03-24-235642 Server Version: 4.8.0-0.nightly-2021-03-24-235642 How reproducible: Always Steps to Reproduce: 1. Set up fresh env which sets flexy-htpasswd-provider $ oc login -u testuser-40 -p password1 # successful 2. Use admin: $ oc adm create-error-template > error-template.html Its content includes: <body> <div> <!-- example of handling a particular error code in a special way --> {{ if eq .ErrorCode "mapping_claim_error" }} Could not create your user. Contact your administrator to resolve this issue. {{ else }} {{ .Error }} {{ end }} </div> </body> Customize the else branch to be: {{ else }} You got {{ .ErrorCode }}: {{ .Error }} $ oc create secret generic error-secret --from-file=errors.html=./error-template.html -n openshift-config 3. Create secret htpass-secret-test, which includes two users: testuser-40:password2 and anyuser:anypasswd. Then update oauth/cluster to be: identityProviders: - htpasswd: fileData: name: htpass-secret mappingMethod: claim name: flexy-htpasswd-provider type: HTPasswd - htpasswd: fileData: name: htpass-secret-test mappingMethod: lookup name: htpasswd-provider-test type: HTPasswd templates: error: name: error-secret 3. Wait for new pods Running. Then access web console, choose htpasswd-provider-test, login with anyuser:anypasswd 4. Update lookup to claim. Wait for new pods Running. Then access web console, choose htpasswd-provider-test, login with testuser-40:password2 Actual results: 3. The page returns "Could not find user" 4. The page returns "Could not create user", see attachment. Expected results: Per above customization, step 3 should return "You got mapping_lookup_error: Could not find user". Step 4 should return "Could not create your user. Contact your administrator to resolve this issue."
Created attachment 1766487 [details] web address shows mapping_claim_error As the new attachment shows, the error code mapping_claim_error is shown correctly in web address. So the bug concerns why the UI does not show as per the code lines under "<!-- example of handling a particular error code in a special way -->". The cause lies in either the html of oc adm create-error-template, or console, or oauth server.
Created attachment 1766510 [details] Error template messages only work under oauth2.0 idp like google idp Rather than htpasswd, this time tried with oauth2.0 idp like google idp, can get the messages as per the template. But no places document it is only for those IDPs. So we need: 1. fix to make comment 0's scenario can see the template messages 2. if won't fix point 1, document somewhere it is only for some IDP types like oauth 2.0 IDPs, not for all IDPs. 3. if won't document point 2, at least fix v4 oc adm create-error-template, currently the content it produces is STILL v3 configuration, AND does not mention point 2, which should be fixed: <!DOCTYPE html> <!-- This template can be modified and used to customize the error page. To replace the error page, set master configuration option oauthConfig.templates.error to the path of the template file. oauthConfig: templates: error: templates/error-template.html The Error field contains an error message, which is human readable, and subject to change. Default error messages are intentionally generic to avoid leaking information about authentication errors. The ErrorCode field contains a programmatic error code, which may be (but is not limited to): - mapping_claim_error - mapping_lookup_error - authentication_error - grant_error
The documentation both in the static files of the oauth-server repository and in docs definitely needs a revisit. From what I can tell from briefly examining the related code, the error template is used mainly, if not only, to surface the errors from the OIDC authentication process.
I can reproduce the above scenario with the htpasswd provider, however I do see references using the error page renderer here, so I'd like to understand why it is not being used.
this should be finalized in sprint 201
This is actually not a bug. error page templates are not being used for password authenticators like htpasswd using the native login page. As Standa mentioned we should fix the oc create-error-page template doc and the openshift docs (PRs submitted). The error page template renderer does work for oauth identity and request header identity providers.
Sorry for not having time to verify this earlier. Today checked the oc PR: "set master configuration option oauthConfig.templates.error" and the following template snippet still need update. For v4, it is not "set master configuration", it is to edit oauth/cluster.
sprint review: this needs a revisit, as a fix was submitted.
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
reviewed-in-sprint: not enough capacity to work on this bugzilla.