Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-202

Cannot log into CRW with OpenShift 4.0 or 4.1 oAuth

    XMLWordPrintable

Details

    Description

      Test case:
      1. Go to CRW login page.
      2. Click on OpenShift v3 button.
      3. Log into OCP as a regular user with basic-user role with httpasswd identity.
      4. Click on "Allow" button in OpenShift oAuth application page.

      Expected result:

      • form to enter CRW profile info is opened

      Actual wrong result:

      • page with error message 
        WE'RE SORRY ...
Unexpected error when authenticating with identity provider

        and url "http://keycloak-crw-oauth.apps.crw.codereadyqe.com/auth/realms/codeready/broker/openshift-v3/endpoint?code=4Sek5sNS6uBO-SWAqlh5fIbDSWQas-g9e_QdpzTqOPs&state=9vm-melw4ZB9hNDwh23e9dD8mJQtLS6MRUWnPQyPsTo.8SsDsLZzkCw.codeready-public"

      There was next error message in keycloak console:

      �[0m�[31m18:00:47,663 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-5) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not obtain user profile from Openshift.
    at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.doGetFederatedIdentity(OpenshiftV3IdentityProvider.java:54)
    at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getFederatedIdentity(AbstractOAuth2IdentityProvider.java:282)
...
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
    at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:333)
    at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:59)
    at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.doGetFederatedIdentity(OpenshiftV3IdentityProvider.java:50)
    ... 63 more

      Possible root cause: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProvider.java#L54

      Screencast: simplescreenrecorder-2019-03-28_00.21.16.mp4

      Update: the same error was encountered when was tried to log into CRW:

      • with OpenShift oAuth linked to GitHub oAuth in OCP 4.0;
      • with OpenShift oAuth linked to LDAP.

      Login through OpenShift OAuth shouldn't work with temporary default cluster admin "kubeadmin", because it doesn't have identity provider (identities = null):

      curl --insecure -H "Authorization: Bearer .........." "https://api.crw.codereadyqe.com:6443/apis/user.openshift.io/v1/users/~"
{
  "kind": "User",
  "apiVersion": "user.openshift.io/v1",
  "metadata": {
    "name": "kube:admin",
    "selfLink": "/apis/user.openshift.io/v1/users/kube%3Aadmin",
    "creationTimestamp": null
  },
  "identities": null,
  "groups": [
    "system:authenticated",
    "system:cluster-admins"
  ]
}

      https://github.com/eclipse/che/issues/13659#issuecomment-508040264

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. CRW-333 Cannot log into CRW with OpenShift 4.0 or 4.1 oAuth

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-17217 (7.3) Wildfly Feature Pack needs adjustments for libartemis-native-*

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. CRW-411 CRW 1.2 cannot be installed in OSD 4 with OAuth support

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. CRW-282 Postgres and Keycloak are not updated when to upgrading CRW to newer version

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link Old identityProvider and postgres container images not updated to latest defaults on Operator update. #13714 (related issue)

          Web Link Upstream Che issue

          Activity

            People

              dfestal David Festal
              dnochevn Dmytro Nochevnov
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: