Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-1650

Some API calls are not working when keycloak-owned openshift token expires.

    XMLWordPrintable

Details

    • False
    • False
    • Undefined
    • Hide
      • Have CRW installed with OAuth enabled
      • Interact with CRW with some user.
      • Don't use CRW with that user for more than a day (default openshift token expiration time)
      • After that day, obtain keycloak token for that user: 
        $ ACCESS_TOKEN=$(curl -k --location --request POST 'https://<KEYCLOAK_ENDPOINT>/auth/realms/codeready/protocol/openid-connect/token' \                                                                                                                                         
--data-urlencode 'client_id=codeready-public' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'subject_issuer=openshift-v4' \
--data-urlencode 'subject_token=<User's openshift token>' |jq -r .access_token)
      • And using that token try to for example start workspace from devfile: 
        $ curl -k -X POST -H "Content-type: application/json" -H "Authorization: Bearer $ACCESS_TOKEN" -d '{"apiVersion":"1.0.0","metadata":{"name":"wksp-test-ZPgDE"}}' -H "Accept: application/json, */*" https://codeready-openshift-workspaces.apps.ocp47-load.crw-qe.com/api/workspace/devfile
      • Expected: Workspace is created
      • Actual: 
        {"message":"Error occurred when tried to list all available projects. Cause: Failure executing: GET at: https://172.30.0.1/apis/project.openshift.io/v1/projects?labelSelector\u003dapp.kubernetes.io%2Fpart-of%3Dche.eclipse.org%2Capp.kubernetes.io%2Fcomponent%3Dworkspaces-namespace. Message: Unauthorized! Configured service account doesn\u0027t have access. Service account may have been revoked. Unauthorized."}
      Show
      Have CRW installed with OAuth enabled Interact with CRW with some user. Don't use CRW with that user for more than a day (default openshift token expiration time) After that day, obtain keycloak token for that user: $ ACCESS_TOKEN=$(curl -k --location --request POST 'https://<KEYCLOAK_ENDPOINT>/auth/realms/codeready/protocol/openid-connect/token' \ --data-urlencode 'client_id=codeready-public' \ --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ --data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \ --data-urlencode 'subject_issuer=openshift-v4' \ --data-urlencode 'subject_token=<User's openshift token>' |jq -r .access_token) And using that token try to for example start workspace from devfile: $ curl -k -X POST -H "Content-type: application/json" -H "Authorization: Bearer $ACCESS_TOKEN" -d '{"apiVersion":"1.0.0","metadata":{"name":"wksp-test-ZPgDE"}}' -H "Accept: application/json, */*" https://codeready-openshift-workspaces.apps.ocp47-load.crw-qe.com/api/workspace/devfile Expected: Workspace is created Actual: {"message":"Error occurred when tried to list all available projects. Cause: Failure executing: GET at: https://172.30.0.1/apis/project.openshift.io/v1/projects?labelSelector\u003dapp.kubernetes.io%2Fpart-of%3Dche.eclipse.org%2Capp.kubernetes.io%2Fcomponent%3Dworkspaces-namespace. Message: Unauthorized! Configured service account doesn\u0027t have access. Service account may have been revoked. Unauthorized."}

    Description

      Some API calls are not working, when user didn't log in to CRW for longer period then the expiration period of the openshift token.

      Please see "Steps to reproduce" to see what's actually happening.
      It seems like keycloak somehow returns che the expired openshift token.

      Logging to Che using UI (browser) fixes this and user can again do API calls again (for a day).

      We took a look into keycloak database and really. Until user logs in through UI, the openshift token, that keycloak is holding is expired (`psql keycloak -c "select token from federated_identity"`). Once User logs in through UI, the token gets updated to valid one.

       

      I'm setting this issue as "Critical" as it's a relatively big obstacle for our load tests (going through UI login for every used user every day... cc. kkanova )

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. CRW-2018 Your session has expired. Please login to Che again to get access to your OpenShift account

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link OpenShift token retrieval from Keycloak may return a stale token

          Web Link OpenShift token retrieval from Keycloak should happen only once during workspace startup/suspension

          Activity

            People

              skabashn Sergii Kabashniuk
              rhopp@redhat.com Radim Hopp
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: