Description of problem: Authentication mediated by external identity providers should be logged in the audit trail. When available, the internal mapping of the identity confirmed by the external identity provider should be attached to both successful and unsuccessful authentication events. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Set up Github external authentication[1] 2. Log in through Github 3. The audit trails should contain either an indication of success, or an indication of denial or failure[2] [1]: https://docs.openshift.com/container-platform/4.10/authentication/identity_providers/configuring-github-identity-provider.html [2]: for oauth_pod in $(oc -n openshift-authentication get pods -oname); do oc rsh -n openshift-authentication "$oauth_pod" cat /var/log/oauth-server/audit.log done Actual results: The audit log does not contain login information. Expected results: For each login attempt carried through an external identity provider, the audit log should contain an entry containing: A. an annotation with key "authentication.openshift.io/decision" and a value of allow, or deny, or error; B. possibly, an annotation with key "authentication.openshift.io/username" and a value of the OpenShift user the login attempt was targeting. Additional info:
This bug is tested via https://issues.redhat.com/browse/AUTH-6 cases with google, github, gitlab openid, google openid, ldap, request header, basic auth IDPs, work well in the annotations in audit logs for successful and failed logins.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069