Tested in sts cluster 4.8.0-0.nightly-2021-06-28-165738 Before apply the workaround, with the external identity provider, it fails to login via the web ui and redirects back to the oauth idp selection. Here is the verification for apply the workaround 1. get the serviceAccountIssuer and replace https://custom-issuer-url with the result $ oc get authentication.config cluster -o json | jq .spec.serviceAccountIssuer unsupportedConfigOverrides: oauthAPIServer: apiServerArguments: api-audiences: - https://custom-issuer-url 2. apply the workaround $ oc edit authentication.operator cluster 3. configure identity provider with Google/OpenID/GitLab/GitHub/RequestHeader respectively 4. login via the web UI and check whether user can login successfully After apply the workaround, user can login successfully via web UI
Tested in sts cluster 4.8.0-0.nightly-2021-07-01-012326 1. check the custom service account issuer existed in cluser $ oc get authentication.config cluster -o json | jq .spec.serviceAccountIssuer "https://custom-issuer-url" 2. configure identity provider with HTPasswd/Google/OpenID/GitLab/GitHub/RequestHeader respectively 3. login via the web UI with above different identity provider and check whether user can login successfully After apply the workaround, user can login successfully via web UI for all above identity provider
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438