Bug 2020625 - [AUTH-52] User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature
Summary: [AUTH-52] User fails to login from web console with keycloak OpenID IDP after...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.0
Assignee: Standa Laznicka
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-05 12:40 UTC by liyao
Modified: 2022-03-10 16:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:25:33 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oauth-server pull 93 0 None open Bug 2020625: oidc: allocate claims slice to 0 len to prevent empty groups 2021-11-22 12:48:56 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:25:52 UTC

Description liyao 2021-11-05 12:40:24 UTC
Description of problem:
User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2021-11-03-181048

How reproducible:
Always

Steps to Reproduce:
1. Follow https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-41149 Setup section to setup keycloak server
2. In keycloak server, add group called mygroup and put the user to be used to login into this group
3. In keycloak server, choose myclient, add new Mapper called groupmapper, set Mapper Type as "Group Membership" and Token Claim Name with "groups"
4. Run OCP-41149 the first 4 test steps to configure oauth with keycloak server but need to add groups as below in step3
oc edit oauth cluster
...
spec:
  identityProviders:
  ...
  - mappingMethod: claim
    name: keycloak-oidc
    openID:
      ca:
        name: keycloak-oidc-ca
      claims:
        groups:
        - groups
        email:
        - email
        name:
        - name
      clientID: myclient
      clientSecret:
        name: keycloak-oidc-secret
      extraScopes: []
      issuer: $KEYCLOAK_HOST/auth/realms/master
    type: OpenID

5. login with the user added into the group from web console

Actual results:
Login in step5 fails with "An authentication error occurred. " Though, 'oc get user` can show the user is created, but 'oc get group' shows nothing.

Expected results:
Login in step5 should be successful

Additional info:
The id_token extracted shows:
  "groups": [
    "/group1"
  ],
But Check the oauth-openshift pod logs with logLevel TraceAll, there is: ProviderGroups:[]string{"", "/group1"}, as below:
I1105 09:37:40.634591       1 request.go:1181] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Group.user.openshift.io \"\" is invalid: metadata.name: Required value: name or generateName is required","reason":"Invalid","details":{"group":"user.openshift.io","kind":"Group","causes":[{"reason":"FieldValueRequired","message":"Required value: name or generateName is required","field":"metadata.name"}]},"code":422}
I1105 09:37:40.634869       1 handler.go:199] Error creating or updating mapping for: &api.DefaultUserIdentityInfo{ProviderName:"keycloak-oidc", ProviderUserName:"b64:eHhpYTphdHRyMS92YWx1ZQ", ProviderGroups:[]string{"", "/group1"}, Extra:map[string]string{"name":"li yao"}} due to Group.user.openshift.io "" is invalid: metadata.name: Required value: name or generateName is required
E1105 09:37:40.634890       1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "" is invalid: metadata.name: Required value: name or generateName is required

Comment 1 Sergiusz Urbaniak 2021-11-08 16:09:45 UTC
reviewed-in-sprint: not enough capacity to work on this bugzilla.

Comment 5 Sergiusz Urbaniak 2021-11-26 07:25:27 UTC
Iā€™m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 6 Xingxing Xia 2021-11-26 13:19:36 UTC
Tested in 4.10.0-0.nightly-2021-11-26-060537 with keycloak with the original steps, still got "An authentication error occurred", now the oauth-openshift pod logs show:
2021-11-26T13:05:25.203806648Z E1126 13:05:25.203748       1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "/group1" is invalid: metadata.name: Invalid value: "/group1": may not contain '/'
This corresponds to the the bug's Description part:
> Additional info:
> The id_token extracted shows:
>  "groups": [
>    "/group1"
>  ],

The fix needs to handle this.

Comment 7 Standa Laznicka 2021-11-26 13:21:14 UTC
That is actually correct, '/' is not usually allowed for kube resource names

Comment 8 Xingxing Xia 2021-11-26 13:41:50 UTC
Thx for the tips about the on-off of the group full path. Now turned it off, the id_token does not include '/' in 'groups', user login can succeed, oc get group synced the group info:
$ oc get group
NAME       USERS
group1     xxia

Comment 11 errata-xmlrpc 2022-03-10 16:25:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.