Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23555

OAuthClient 'openshift-cli-client' is missing for HyperShift Guest Clusters causing `oc login --web` fails

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • 4.15.0
    • 4.13, 4.14, 4.15
    • HyperShift
    • No
    • Hypershift Sprint 246
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      Description of problem:

      The oc login --web command fails when used with a Hypershift Guest Cluster. The web console returns an error message stating that the client is unauthorized to request a token using this method.
      Error Message:
      {  "error": "unauthorized_client",  
      "error_description": "The client is not authorized to request a token using this method."
      }
      
      OCP does not have such issue.

      Version-Release number of selected component (if applicable):

      4.13.0-0.nightly-2023-11-21-212406
      4.14
      4.15

      How reproducible:

      always

      Steps to Reproduce:

      1.Install a Hypershift Guest Cluster.
      2. Configure the Any OpenID Identity Provider for the Hypershift Guest Cluster eg. https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-62511
      3. Execute the oc login --web $URL command.
      
      4. After adding openshift-cli-client manually it's works
      # cat oauth.yaml
      apiVersion: oauth.openshift.io/v1
      grantMethod: auto
      kind: OAuthClient
      metadata:
        name: openshift-cli-client
      redirectURIs:
      - http://127.0.0.1/callback,http://[::1]/callback
      respondWithChallenges: false
      
      # oc create -f oauth.yaml
      oauthclient.oauth.openshift.io/openshift-cli-client created
      
      $ oc login --web $URL
      Opening login URL in the default browser: https://oauth-clusters-hypershift-ci-28276.apps.xxxxxxxxxxxxxxxx.com:443/oauth/authorize?client_id=openshift-cli-client&code_challenge=mixnB73nR_yzL58e0lEd4soQH1sn0GjvWEfnX4PNrCg&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A45055%2Fcallback&response_type=code
      Login successful.
      
      

      Actual results:

      Step 3: The web login process fails and redirects to an error page displaying the error message "error_description": "The client is not authorized to request a token using this method."

      Expected results:

      OAuthClient 'openshift-cli-client' should not be missing for HyperShift Guest Clusters so that the oc login --web $URL command should work without any issues. As OCP 4.13+ has the OAuthClient 'openshift-cli-client' by default.

      Additional info:

      The issue can be tracked at the following URL: https://issues.redhat.com/browse/AUTH-444

      Root Cause :
      Default 'openshift-cli-client' OAuthClient should not be missing for HyperShift Guest Clusters.

              sjenning Seth Jennings
              rhn-support-dpunia Deepak Punia (Inactive)
              Deepak Punia Deepak Punia (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: