2020625 – [AUTH-52] User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature

Bug 2020625 - [AUTH-52] User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature

Summary: [AUTH-52] User fails to login from web console with keycloak OpenID IDP after...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Standa Laznicka
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-05 12:40 UTC by liyao
Modified:	2022-03-10 16:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-03-10 16:25:33 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift oauth-server pull 93	0	None	open	Bug 2020625: oidc: allocate claims slice to 0 len to prevent empty groups	2021-11-22 12:48:56 UTC
Red Hat Product Errata	RHSA-2022:0056	0	None	None	None	2022-03-10 16:25:52 UTC

Description liyao 2021-11-05 12:40:24 UTC

Description of problem:
User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2021-11-03-181048

How reproducible:
Always

Steps to Reproduce:
1. Follow https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-41149 Setup section to setup keycloak server
2. In keycloak server, add group called mygroup and put the user to be used to login into this group
3. In keycloak server, choose myclient, add new Mapper called groupmapper, set Mapper Type as "Group Membership" and Token Claim Name with "groups"
4. Run OCP-41149 the first 4 test steps to configure oauth with keycloak server but need to add groups as below in step3
oc edit oauth cluster
...
spec:
  identityProviders:
  ...
  - mappingMethod: claim
    name: keycloak-oidc
    openID:
      ca:
        name: keycloak-oidc-ca
      claims:
        groups:
        - groups
        email:
        - email
        name:
        - name
      clientID: myclient
      clientSecret:
        name: keycloak-oidc-secret
      extraScopes: []
      issuer: $KEYCLOAK_HOST/auth/realms/master
    type: OpenID

5. login with the user added into the group from web console

Actual results:
Login in step5 fails with "An authentication error occurred. " Though, 'oc get user` can show the user is created, but 'oc get group' shows nothing.

Expected results:
Login in step5 should be successful

Additional info:
The id_token extracted shows:
  "groups": [
    "/group1"
  ],
But Check the oauth-openshift pod logs with logLevel TraceAll, there is: ProviderGroups:[]string{"", "/group1"}, as below:
I1105 09:37:40.634591       1 request.go:1181] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Group.user.openshift.io \"\" is invalid: metadata.name: Required value: name or generateName is required","reason":"Invalid","details":{"group":"user.openshift.io","kind":"Group","causes":[{"reason":"FieldValueRequired","message":"Required value: name or generateName is required","field":"metadata.name"}]},"code":422}
I1105 09:37:40.634869       1 handler.go:199] Error creating or updating mapping for: &api.DefaultUserIdentityInfo{ProviderName:"keycloak-oidc", ProviderUserName:"b64:eHhpYTphdHRyMS92YWx1ZQ", ProviderGroups:[]string{"", "/group1"}, Extra:map[string]string{"name":"li yao"}} due to Group.user.openshift.io "" is invalid: metadata.name: Required value: name or generateName is required
E1105 09:37:40.634890       1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "" is invalid: metadata.name: Required value: name or generateName is required

Comment 1 Sergiusz Urbaniak 2021-11-08 16:09:45 UTC

reviewed-in-sprint: not enough capacity to work on this bugzilla.

Comment 5 Sergiusz Urbaniak 2021-11-26 07:25:27 UTC

I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 6 Xingxing Xia 2021-11-26 13:19:36 UTC

Tested in 4.10.0-0.nightly-2021-11-26-060537 with keycloak with the original steps, still got "An authentication error occurred", now the oauth-openshift pod logs show:
2021-11-26T13:05:25.203806648Z E1126 13:05:25.203748       1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "/group1" is invalid: metadata.name: Invalid value: "/group1": may not contain '/'
This corresponds to the the bug's Description part:
> Additional info:
> The id_token extracted shows:
>  "groups": [
>    "/group1"
>  ],

The fix needs to handle this.

Comment 7 Standa Laznicka 2021-11-26 13:21:14 UTC

That is actually correct, '/' is not usually allowed for kube resource names

Comment 8 Xingxing Xia 2021-11-26 13:41:50 UTC

Thx for the tips about the on-off of the group full path. Now turned it off, the id_token does not include '/' in 'groups', user login can succeed, oc get group synced the group info:
$ oc get group
NAME       USERS
group1     xxia

Comment 11 errata-xmlrpc 2022-03-10 16:25:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056

Note You need to log in before you can comment on or make changes to this bug.