After the log-in to the console of a 4.14 cluster, the `copy login command` action in the top-right corner user menu does not open the page displaying the token and the cli command to use for logging in from terminal. It redirects (302) to the home of the console.

This seems happening due to a blocked OPTIONS (preflighted) request to the https://oauth-openshift.apps.$CLUSTER_DOMAIN/oauth/token/request endpoint leading to a 302 because of the missing ‘Access-Control-Allow-Origin’ header. 

4.13 and 4.14.0-ec.1 are not affected

4.14.0-0.nightly-multi-2023-06-21-144604

Always

1. Install a 4.14 nightly cluster (tested on Azure and AWS, with the arm64 and multi payloads, respectively)
2. Login (either as kubeadmin or other user at least in the case of the HTPasswd IDP) to the dev console
3. In the top-right corner, open the dropdown menu with the username
4. Click on `Copy login command`

A new tab open, but it gets redirected to the homepage eventually

A new tab open, showing the user token and the instructions to login via CLI

Request headers:

OPTIONS /oauth/token/request HTTP/1.1
Host: oauth-openshift.apps.adistefa-het.qe.devcluster.openshift.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-cluster
Referer: https://console-openshift-console.apps.adistefa-het.qe.devcluster.openshift.com/
Origin: https://console-openshift-console.apps.adistefa-het.qe.devcluster.openshift.com
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site

Response headers:

HTTP/1.1 302 Found
Audit-Id: 35cc1c72-aa59-4f44-a8fa-27826a2e911a
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Location: https://oauth-openshift.apps.adistefa-het.qe.devcluster.openshift.com/oauth/authorize?client_id=openshift-browser-client&redirect_uri=https%3A%2F%2Foauth-openshift.apps.adistefa-het.qe.devcluster.openshift.com%2Foauth%2Ftoken%2Fdisplay&response_type=code
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Date: Thu, 22 Jun 2023 07:51:54 GMT
Content-Length: 0

The error in the JS console in Firefox:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://oauth-openshift.apps.mykrbid.qe.azure.devcluster.openshift.com/oauth/token/request. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 302.


I tried changing the the v4-0-config-system-cliconfig configmap in the openshift-authentication namespace in order to allow all the origins. However, another error comes up: 

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://oauth-openshift.apps.mykrbid.qe.azure.devcluster.openshift.com/oauth/token/request. (Reason: header ‘x-cluster’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).

In the oauth-openshift logs:

I0622 09:30:18.007993       1 httplog.go:132] "HTTP" verb="OPTIONS" URI="/oauth/token/request" latency="128.519µs" userAgent="Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0" audit-ID="e8b3d0ea-2f57-40be-9c00-a541a4b11ee2" srcIP="10.131.0.5:38738" resp=204

I0622 09:30:18.142894       1 authorization.go:73] "Forbidden" URI="/" Reason=""