Bug 2038691 - [AUTH-8] Panic on user login when the user belongs to a group in the IdP side and the group already exists via "oc adm groups new"
Summary: [AUTH-8] Panic on user login when the user belongs to a group in the IdP side...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.10.0
Assignee: Standa Laznicka
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-09 15:39 UTC by Xingxing Xia
Modified: 2022-03-10 16:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:37:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Panic on user login (59.63 KB, image/png)
2022-01-09 15:39 UTC, Xingxing Xia
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift oauth-server pull 96 0 None open Bug 2038691: groupsync: create annotations if not present before writing to them 2022-01-11 08:32:00 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:38:20 UTC

Description Xingxing Xia 2022-01-09 15:39:27 UTC
Created attachment 1849712 [details]
Panic on user login

Created attachment 1849712 [details]
Panic on user login

Description of problem:
[AUTH-8] Panic on user login when the user belongs to a group in the IdP side and the group already exists via "oc adm groups new"

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2022-01-08-061433

How reproducible:
Always

Steps to Reproduce:
1. $ oc adm groups new group1

2. Setup a keycloak OIDC server. On the keycloak IdP server, create user people1 and group group1, and make people1 belong to group1.

3. Then configure "groups" in oauth/cluster:
oc edit oauth cluster
...
spec:
  identityProviders:
  - mappingMethod: claim
    name: keycloak-oidc
    openID:
      ca:
        name: keycloak-oidc-ca
      claims:
        email:
        - email
        groups:
        - non-existent1
        - groups
        - non-existent2
        name:
        - name
        preferredUsername:
        - preferred_username
        - username
        - name
        - email
      clientID: myclient
      clientSecret:
        name: keycloak-oidc-secret
      extraScopes: []
      issuer: $KEYCLOAK_HOST/auth/realms/master
    type: OpenID

4. Wait oauht-openshift pods rotate successfully.

5. Login OpenShift with people1 in web console.

Actual results:
5. The web console shows:
"
This request caused apiserver to panic. Look in the logs for details.
"

See screenshot attached.

Checked oauth-openshift pods, one pod logs showed:
...
2022-01-09T14:20:47.888194041Z I0109 14:20:47.888172       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1641738046\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1641738046\" (2022-01-09 13:20:45 +0000 UTC to 2023-01-09 13:20:45 +0000 UTC (now=2022-01-09 14:20:47.8881505 +0000 UTC))"
2022-01-09T14:29:24.841769164Z E0109 14:29:24.841563       1 runtime.go:76] Observed a panic: assignment to entry in nil map
2022-01-09T14:29:24.841769164Z goroutine 1337 [running]:
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP.func1.1()
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/filters/timeout.go:103 +0xb0
2022-01-09T14:29:24.841769164Z panic({0x1b33ce0, 0x20e7b20})
2022-01-09T14:29:24.841769164Z 	runtime/panic.go:1038 +0x215
2022-01-09T14:29:24.841769164Z github.com/openshift/oauth-server/pkg/groupmapper.(*UserGroupsMapper).addUserToGroup(0xc000a25a00, {0xc00036ea10, 0xd}, {0xc000dfcc66, 0x7}, {0xc000dfcc4a, 0xc000348ea0})
2022-01-09T14:29:24.841769164Z 	github.com/openshift/oauth-server/pkg/groupmapper/groupmapper.go:207 +0x4f1
2022-01-09T14:29:24.841769164Z github.com/openshift/oauth-server/pkg/groupmapper.(*UserGroupsMapper).processGroups(0xc000a25a00, {0xc00036ea10, 0xd}, {0xc000dfcc66, 0x7}, 0x1)
2022-01-09T14:29:24.841769164Z 	github.com/openshift/oauth-server/pkg/groupmapper/groupmapper.go:114 +0x15e
2022-01-09T14:29:24.841769164Z github.com/openshift/oauth-server/pkg/groupmapper.(*UserGroupsMapper).UserFor(0xc000a25a00, {0x214f828, 0xc000e92a80})
2022-01-09T14:29:24.841769164Z 	github.com/openshift/oauth-server/pkg/groupmapper/groupmapper.go:83 +0xf0
2022-01-09T14:29:24.841769164Z github.com/openshift/oauth-server/pkg/oauth/external.(*Handler).ServeHTTP(0xc0008b5680, {0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	github.com/openshift/oauth-server/pkg/oauth/external/handler.go:197 +0x7aa
2022-01-09T14:29:24.841769164Z net/http.(*ServeMux).ServeHTTP(0x1cfffe0, {0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2424 +0x149
2022-01-09T14:29:24.841769164Z github.com/openshift/oauth-server/pkg/server/headers.WithRestoreAuthorizationHeader.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	github.com/openshift/oauth-server/pkg/server/headers/oauthbasic.go:27 +0x10f
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x0, {0x7fe1300490c0, 0xc000496ad8}, 0x0)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackCompleted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:103 +0x1a5
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0xc000495080, {0x7fe1300490c0, 0xc000496ad8}, 0x0)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.WithAuthorization.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filters/authorization.go:64 +0x47d
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x3185628, {0x7fe1300490c0, 0xc000496ad8}, 0x0)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackStarted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:79 +0x178
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x3133b60, {0x7fe1300490c0, 0xc000496ad8}, 0x3)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/server/filters.WithMaxInFlightLimit.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/filters/maxinflight.go:187 +0x29d
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x0, {0x7fe1300490c0, 0xc000496ad8}, 0x0)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackCompleted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:103 +0x1a5
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0xc000816000, {0x7fe1300490c0, 0xc000496ad8}, 0xc00078dd40)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.WithImpersonation.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filters/impersonation.go:50 +0x21c
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x3185628, {0x7fe1300490c0, 0xc000496ad8}, 0x1)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackStarted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:79 +0x178
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x0, {0x7fe1300490c0, 0xc000496ad8}, 0x0)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackCompleted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:103 +0x1a5
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x3185628, {0x7fe1300490c0, 0xc000496ad8}, 0x1)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackStarted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:79 +0x178
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x0, {0x7fe1300490c0, 0xc000496ad8}, 0x0)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackCompleted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:103 +0x1a5
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x212fdb8, {0x7fe1300490c0, 0xc000496ad8}, 0x1f58c98)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.withAuthentication.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1f00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filters/authentication.go:80 +0x83c
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x212fd80, {0x7fe1300490c0, 0xc000496ad8}, 0x20e49b8)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filterlatency.trackStarted.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1d00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filterlatency/filterlatency.go:88 +0x46b
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0xc0011138c0, {0x7fe1300490c0, 0xc000496ad8}, 0xc000924601)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/server/filters.WithCORS.func1({0x7fe1300490c0, 0xc000496ad8}, 0xc000ab1d00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/filters/cors.go:75 +0x10b
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0xc0010c0671, {0x7fe1300490c0, 0xc000496ad8}, 0xc0003b0728)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP.func1()
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/filters/timeout.go:108 +0x99
2022-01-09T14:29:24.841769164Z created by k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/filters/timeout.go:94 +0x2d1
2022-01-09T14:29:24.841769164Z 
2022-01-09T14:29:24.841769164Z goroutine 1039 [running]:
2022-01-09T14:29:24.841769164Z k8s.io/apimachinery/pkg/util/runtime.logPanic({0x1a52be0, 0xc00099b230})
2022-01-09T14:29:24.841769164Z 	k8s.io/apimachinery.2/pkg/util/runtime/runtime.go:74 +0x85
2022-01-09T14:29:24.841769164Z k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0xc000496bb8, 0x1, 0x16be186})
2022-01-09T14:29:24.841769164Z 	k8s.io/apimachinery.2/pkg/util/runtime/runtime.go:48 +0x75
2022-01-09T14:29:24.841769164Z panic({0x1a52be0, 0xc00099b230})
2022-01-09T14:29:24.841769164Z 	runtime/panic.go:1038 +0x215
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP(0xc0004957a0, {0x2125870, 0xc0003a1000}, 0xdf8475800)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/filters/timeout.go:114 +0x452
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.withRequestDeadline.func1({0x2125870, 0xc0003a1000}, 0xc000ab1c00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filters/request_deadline.go:101 +0x494
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0xc00094b805, {0x2125870, 0xc0003a1000}, 0xc00113edd8)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/server/filters.WithWaitGroup.func1({0x2125870, 0xc0003a1000}, 0xc000ab1c00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/filters/waitgroup.go:59 +0x174
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x212fdb8, {0x2125870, 0xc0003a1000}, 0x20e49b8)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.WithWarningRecorder.func1({0x2125870, 0xc0003a1000}, 0xc000ab1b00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filters/warning.go:35 +0x2bb
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x1cfffe0, {0x2125870, 0xc0003a1000}, 0xd)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.WithCacheControl.func1({0x2125870, 0xc0003a1000}, 0x0)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filters/cachecontrol.go:31 +0x126
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x212fdb8, {0x2125870, 0xc0003a1000}, 0x20e49b8)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/server/httplog.WithLogging.func1({0x2126020, 0xc0002d5340}, 0xc000ab1a00)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/server/httplog/httplog.go:103 +0x524
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x212fdb8, {0x2126020, 0xc0002d5340}, 0x20e49b8)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.WithRequestInfo.func1({0x2126020, 0xc0002d5340}, 0xc000ab1900)
2022-01-09T14:29:24.841769164Z 	k8s.io/apiserver.2/pkg/endpoints/filters/requestinfo.go:39 +0x316
2022-01-09T14:29:24.841769164Z net/http.HandlerFunc.ServeHTTP(0x212fdb8, {0x2126020, 0xc0002d5340}, 0xc000320810)
2022-01-09T14:29:24.841769164Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841769164Z k8s.io/apiserver/pkg/endpoints/filters.withRequestReceivedTimestampWithClock.func1({0x2126020, 0xc0002d5340}, 0xc000ab1800)
2022-01-09T14:29:24.841914393Z 	k8s.io/apiserver.2/pkg/endpoints/filters/request_received_time.go:38 +0x27e
2022-01-09T14:29:24.841914393Z net/http.HandlerFunc.ServeHTTP(0x4195ec, {0x2126020, 0xc0002d5340}, 0xc0003206e0)
2022-01-09T14:29:24.841914393Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841914393Z k8s.io/apiserver/pkg/server/filters.withPanicRecovery.func1({0x2126020, 0xc0002d5340}, 0xc00139b490)
2022-01-09T14:29:24.841914393Z 	k8s.io/apiserver.2/pkg/server/filters/wrap.go:74 +0xba
2022-01-09T14:29:24.841914393Z net/http.HandlerFunc.ServeHTTP(0x1c68c80, {0x2126020, 0xc0002d5340}, 0x8)
2022-01-09T14:29:24.841914393Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841914393Z k8s.io/apiserver/pkg/endpoints/filters.withAuditID.func1({0x2126020, 0xc0002d5340}, 0xc000ab1700)
2022-01-09T14:29:24.841914393Z 	k8s.io/apiserver.2/pkg/endpoints/filters/with_auditid.go:66 +0x40d
2022-01-09T14:29:24.841914393Z net/http.HandlerFunc.ServeHTTP(0x1cfffe0, {0x2126020, 0xc0002d5340}, 0xd)
2022-01-09T14:29:24.841914393Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841914393Z github.com/openshift/oauth-server/pkg/server/headers.WithPreserveAuthorizationHeader.func1({0x2126020, 0xc0002d5340}, 0xc000ab1700)
2022-01-09T14:29:24.841914393Z 	github.com/openshift/oauth-server/pkg/server/headers/oauthbasic.go:16 +0xe8
2022-01-09T14:29:24.841914393Z net/http.HandlerFunc.ServeHTTP(0xc0006319f8, {0x2126020, 0xc0002d5340}, 0xf)
2022-01-09T14:29:24.841914393Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841914393Z github.com/openshift/oauth-server/pkg/server/headers.WithStandardHeaders.func1({0x2126020, 0xc0002d5340}, 0xc000631af8)
2022-01-09T14:29:24.841914393Z 	github.com/openshift/oauth-server/pkg/server/headers/headers.go:30 +0x18f
2022-01-09T14:29:24.841914393Z net/http.HandlerFunc.ServeHTTP(0xc0002eddd0, {0x2126020, 0xc0002d5340}, 0x10000c00099ab40)
2022-01-09T14:29:24.841914393Z 	net/http/server.go:2046 +0x2f
2022-01-09T14:29:24.841914393Z k8s.io/apiserver/pkg/server.(*APIServerHandler).ServeHTTP(0xc0003f0a22, {0x2126020, 0xc0002d5340}, 0x46ce2e)
2022-01-09T14:29:24.841914393Z 	k8s.io/apiserver.2/pkg/server/handler.go:189 +0x2b
2022-01-09T14:29:24.841914393Z net/http.serverHandler.ServeHTTP({0xc001380360}, {0x2126020, 0xc0002d5340}, 0xc000ab1700)
2022-01-09T14:29:24.841914393Z 	net/http/server.go:2878 +0x43b
2022-01-09T14:29:24.841914393Z net/http.(*conn).serve(0xc0007ddae0, {0x212fdb8, 0xc000a98060})
2022-01-09T14:29:24.841914393Z 	net/http/server.go:1929 +0xb08
2022-01-09T14:29:24.841914393Z created by net/http.(*Server).Serve
2022-01-09T14:29:24.841914393Z 	net/http/server.go:3033 +0x4e8
2022-01-09T14:29:24.841914393Z E0109 14:29:24.841700       1 wrap.go:58] "apiserver panic'd" method="GET" URI="/oauth2callback/keycloak-oidc?state=Y3NyZj1yeEdrNFRkMTFFVGhCVlVkSVVWa1VGR2pYdDIyS3VBa3VQVmw1UTdxREJnJnRoZW49JTJGb2F1dGglMkZhdXRob3JpemUlM0ZjbGllbnRfaWQlM0Rjb25zb2xlJTI2aWRwJTNEa2V5Y2xvYWstb2lkYyUyNnJlZGlyZWN0X3VyaSUzRGh0dHBzJTI1M0ElMjUyRiUyNTJGY29uc29sZS1vcGVuc2hpZnQtY29uc29sZS5hcHBzLnh4aWEtamFuOC4wMTA4LTd4bS5xZS5yaGNsb3VkLmNvbSUyNTJGYXV0aCUyNTJGY2FsbGJhY2slMjZyZXNwb25zZV90eXBlJTNEY29kZSUyNnNjb3BlJTNEdXNlciUyNTNBZnVsbCUyNnN0YXRlJTNEZTdkYzA5ZWY%3D&session_state=72ca4d08-44d2-46e6-8ed8-5c517908d233&code=a934e61e-2e81-431e-8b7c-6d5a4658313e.72ca4d08-44d2-46e6-8ed8-5c517908d233.eb06731f-c4b1-4c7a-8752-6027cdd50f3e" audit-ID="6e9c0acb-d3a4-4834-ada8-363ce13292a3"

Expected results:
5. Login should succeed.

Additional info:
In below situations, login can succeed.
A. If no step 1, the step 5 login can succeed, i.e. the group membership sync works.
B. If step 1 adds "oc adm groups add-users group1 people1", the step 5 login can also succeed.

Comment 3 Xingxing Xia 2022-01-14 09:29:48 UTC
Verified in 4.10.0-0.nightly-2022-01-14-015144 with original steps, no panic now, login can succeed, and 'oc get group group1 -o yaml' is added one single annotation 'oauth.openshift.io/idp.keycloak-oidc: synced'. Further test: after removing people1 from group1 in the IdP side, log in again successfully, then 'oc get group' shows the manually created group1 being empty is not removed, and the user is not shown in the group. Everything is fine.

Comment 6 errata-xmlrpc 2022-03-10 16:37:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.