Bug 1942915 - oauth/cluster error template customized messages take no effect
Summary: oauth/cluster error template customized messages take no effect
Keywords:
Status: ASSIGNED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.8
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.9.0
Assignee: Sergiusz Urbaniak
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-25 10:38 UTC by Xingxing Xia
Modified: 2021-12-21 13:03 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
Error message actual result (55.15 KB, image/png)
2021-03-25 10:38 UTC, Xingxing Xia
no flags Details
web address shows mapping_claim_error (46.62 KB, image/png)
2021-03-26 03:46 UTC, Xingxing Xia
no flags Details
Error template messages only work under oauth2.0 idp like google idp (41.59 KB, image/png)
2021-03-26 07:46 UTC, Xingxing Xia
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 828 0 None open Bug 1942915: pkg/.../create_error_template: fix error page template 2021-05-19 08:36:59 UTC

Description Xingxing Xia 2021-03-25 10:38:11 UTC
Created attachment 1766265 [details]
Error message actual result

Description of problem:
oauth/cluster error template customized messages take no effect

Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.8.0-0.nightly-2021-03-24-235642
Server Version: 4.8.0-0.nightly-2021-03-24-235642

How reproducible:
Always

Steps to Reproduce:
1. Set up fresh env which sets flexy-htpasswd-provider
$ oc login -u testuser-40 -p password1 # successful

2. Use admin:
$ oc adm create-error-template > error-template.html
Its content includes:
  <body>

    <div>
                <!-- example of handling a particular error code in a special way -->
                {{ if eq .ErrorCode "mapping_claim_error" }}
                        Could not create your user. Contact your administrator to resolve this issue.
                {{ else }}
                        {{ .Error }}
                {{ end }}
                </div>

  </body>

Customize the else branch to be:
                {{ else }}
                        You got {{ .ErrorCode }}: {{ .Error }}

$ oc create secret generic error-secret --from-file=errors.html=./error-template.html -n openshift-config

3. Create secret htpass-secret-test, which includes two users: testuser-40:password2 and anyuser:anypasswd. Then update oauth/cluster to be:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpass-secret
    mappingMethod: claim
    name: flexy-htpasswd-provider
    type: HTPasswd
  - htpasswd:
      fileData:
        name: htpass-secret-test
    mappingMethod: lookup
    name: htpasswd-provider-test
    type: HTPasswd
  templates:
    error:
      name: error-secret

3. Wait for new pods Running. Then access web console, choose htpasswd-provider-test, login with anyuser:anypasswd

4. Update lookup to claim. Wait for new pods Running. Then access web console, choose htpasswd-provider-test, login with testuser-40:password2

Actual results:
3. The page returns "Could not find user"
4. The page returns "Could not create user", see attachment.

Expected results:
Per above customization, step 3 should return "You got mapping_lookup_error: Could not find user". Step 4 should return "Could not create your user. Contact your administrator to resolve this issue."

Comment 1 Xingxing Xia 2021-03-26 03:46:32 UTC
Created attachment 1766487 [details]
web address shows mapping_claim_error

As the new attachment shows, the error code mapping_claim_error is shown correctly in web address. So the bug concerns why the UI does not show as per the code lines under "<!-- example of handling a particular error code in a special way -->". The cause lies in either the html of oc adm create-error-template, or console, or oauth server.

Comment 2 Xingxing Xia 2021-03-26 07:46:07 UTC
Created attachment 1766510 [details]
Error template messages only work under oauth2.0 idp like google idp

Rather than htpasswd, this time tried with oauth2.0 idp like google idp, can get the messages as per the template. But no places document it is only for those IDPs. So we need:
1. fix to make comment 0's scenario can see the template messages
2. if won't fix point 1, document somewhere it is only for some IDP types like oauth 2.0 IDPs, not for all IDPs.
3. if won't document point 2, at least fix v4 oc adm create-error-template, currently the content it produces is STILL v3 configuration, AND does not mention point 2, which should be fixed:
<!DOCTYPE html>
<!--
This template can be modified and used to customize the error page. To replace
the error page, set master configuration option oauthConfig.templates.error to
the path of the template file.

oauthConfig:
  templates:
    error: templates/error-template.html

The Error field contains an error message, which is human readable, and subject to change.
Default error messages are intentionally generic to avoid leaking information about authentication errors.

The ErrorCode field contains a programmatic error code, which may be (but is not limited to):
- mapping_claim_error
- mapping_lookup_error
- authentication_error
- grant_error

Comment 3 Standa Laznicka 2021-04-16 08:19:27 UTC
The documentation both in the static files of the oauth-server repository and in docs definitely needs a revisit. From what I can tell from briefly examining the related code, the error template is used mainly, if not only, to surface the errors from the OIDC authentication process.

Comment 5 Sergiusz Urbaniak 2021-05-17 13:44:55 UTC
I can reproduce the above scenario with the htpasswd provider, however I do see references using the error page renderer here, so I'd like to understand why it is not being used.

Comment 6 Sergiusz Urbaniak 2021-05-18 11:14:26 UTC
this should be finalized in sprint 201

Comment 7 Sergiusz Urbaniak 2021-05-19 08:50:01 UTC
This is actually not a bug. error page templates are not being used for password authenticators like htpasswd using the native login page. As Standa mentioned we should fix the oc create-error-page template doc and the openshift docs (PRs submitted).

The error page template renderer does work for oauth identity and request header identity providers.

Comment 9 Xingxing Xia 2021-06-10 12:43:55 UTC
Sorry for not having time to verify this earlier. Today checked the oc PR:
"set master configuration option oauthConfig.templates.error" and the following template snippet still need update.
For v4, it is not "set master configuration", it is to edit oauth/cluster.

Comment 10 Sergiusz Urbaniak 2021-08-16 12:45:53 UTC
sprint review: this needs a revisit, as a fix was submitted.

Comment 11 Sergiusz Urbaniak 2021-09-03 11:59:39 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher
priority/severity, developing new features with higher priority, or developing
new features to improve stability at a macro level. I will revisit this bug
next sprint.

Comment 12 Sergiusz Urbaniak 2021-11-08 06:59:06 UTC
reviewed-in-sprint: not enough capacity to work on this bugzilla.

Comment 14 Sergiusz Urbaniak 2021-11-26 07:23:15 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.


Note You need to log in before you can comment on or make changes to this bug.