-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
Description of problem:
In OpenShift external OIDC env, oc login and console login fail with Entra ID distributed claims when groups are > 200.
Version-Release number of selected component (if applicable):
4.21.0-0.nightly-2025-11-12-194750
How reproducible:
Always
Steps to Reproduce:
1. Use az command to create ~190+ Security groups in Entra ID, add myself (the test user) to be member of each of them. Ensure the test user belongs to 200 groups: Column1 Column2 --------------------------------------------------------------- ------------------------------------ xxia-testgroup0200 b4f01199-b2ec-49fd-8081-7a48205f483f ... 2. Configure OpenShift cluster external oidc auth with Entra ID with groups claim. 3. Test oc and console logins. Both work. 4. Use az to create 1 more Security group and add the user into it. 5. Clear oc cache. Test oc login again
Actual results:
5. Now, with 201 groups, oc login fails and outputs: Please visit the following URL in your browser: http://localhost:8080/ error: You must be logged in to the server (Unauthorized)
Expected results:
5. Should succeed.
Additional info:
In step 5, more info after below checks:
$ ls -lrt ~/.kube/cache/oc
total 84
-rw-------. 1 xxia xxia 1590 Nov 13 15:25 c8bfc8976bf0e30719ce3b6245ad2fe9999f38562c482c07826b107861518a6c
$ cat ~/.kube/cache/oc/c8bfc8976bf0e30719ce3b6245ad2fe9999f38562c482c07826b107861518a6c | jq -r '.id_token' | jq -R 'split(".") | .[0,1] | @base64d | fromjson'
{
"typ": "JWT",
"alg": "RS256",
"kid": "rtsFT-b-7LuY7DVYeSNKcIJ7Vnc"
}
{
"aud": "679a03a7-2d6f-4a7f-a860-1c84e5f35641",
"iss": "https://login.microsoftonline.com/6047xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/v2.0",
"iat": 1763018450,
"nbf": 1763018450,
"exp": 1763022350,
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://graph.windows.net/6047xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/users/0000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/getMemberObjects"
}
},
"email": "xxxx@redhat.com",
"idp": "https://sts.windows.net/64dc69e4-xxxxxxxxxxxxxxxxxxxxxxxxxxx/",
"nonce": "fSQf_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"rh": "1.ATcA6cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"sub": "51RyNyF5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tid": "6047xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"uti": "AKLsxxxxxxxxxxxxxxxxxx",
"ver": "2.0",
"wids": [
"cf1c38e5-xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"fdd7a751-xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"13bd1c72-xxxxxxxxxxxxxxxxxxxxxxxxxxx"
]
}
Check KAS logs, found:
2025-11-13T07:28:08.525134270Z E1113 07:28:08.525055 12 authentication.go:75] "Unable to authenticate the request" err="[invalid bearer token, oidc: could not expand distributed claims: while getting distributed claim \"groups\": error while getting distributed claim JWT: 401 Unauthorized]"
If we open https://graph.windows.net/6047xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/users/00000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/getMemberObjects , the page shows:
{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."}}}
- is related to
-
OCPSTRAT-2779 BYO External Auth with Enhanced Management for Large Number of Groups
-
- New
-