1977233 – [4.8] Unable to authenticate against IDP after upgrade to 4.8-rc.1

Bug 1977233 - [4.8] Unable to authenticate against IDP after upgrade to 4.8-rc.1

Summary: [4.8] Unable to authenticate against IDP after upgrade to 4.8-rc.1

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oauth-apiserver
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Standa Laznicka
QA Contact:	liyao
Docs Contact:
URL:
Whiteboard:
Depends On:	1977054
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-29 09:22 UTC by Sergiusz Urbaniak
Modified:	2021-07-27 23:14 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1977054
Environment:
Last Closed:	2021-07-27 23:13:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-authentication-operator pull 459	0	None	closed	[release-4.8] Bug 1977233: observe api-audiences for the oauth-apiserver	2021-07-06 19:07:56 UTC
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 23:14:18 UTC

Comment 1 liyao 2021-06-30 06:10:28 UTC

Tested in sts cluster 4.8.0-0.nightly-2021-06-28-165738 

Before apply the workaround, with the external identity provider, it fails to login via the web ui and redirects back to the oauth idp selection.

Here is the verification for apply the workaround
1. get the serviceAccountIssuer and replace https://custom-issuer-url with the result
$ oc get authentication.config cluster -o json | jq .spec.serviceAccountIssuer
  unsupportedConfigOverrides: 
    oauthAPIServer:
     apiServerArguments:
      api-audiences:
      - https://custom-issuer-url

2. apply the workaround
$ oc edit authentication.operator cluster

3. configure identity provider with Google/OpenID/GitLab/GitHub/RequestHeader respectively

4. login via the web UI and check whether user can login successfully
After apply the workaround, user can login successfully via web UI

Comment 3 liyao 2021-07-01 06:00:56 UTC

Tested in sts cluster 4.8.0-0.nightly-2021-07-01-012326

1. check the custom service account issuer existed in cluser
$ oc get authentication.config cluster -o json | jq .spec.serviceAccountIssuer
"https://custom-issuer-url"

2. configure identity provider with HTPasswd/Google/OpenID/GitLab/GitHub/RequestHeader respectively

3. login via the web UI with above different identity provider and check whether user can login successfully
After apply the workaround, user can login successfully via web UI for all above identity provider

Comment 6 errata-xmlrpc 2021-07-27 23:13:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.