-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.13, 4.14, 4.15
-
No
-
Hypershift Sprint 246
-
1
-
Proposed
-
False
-
-
N/A
-
Release Note Not Required
Description of problem:
The oc login --web command fails when used with a Hypershift Guest Cluster. The web console returns an error message stating that the client is unauthorized to request a token using this method. Error Message: { "error": "unauthorized_client", "error_description": "The client is not authorized to request a token using this method." } OCP does not have such issue.
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-11-21-212406 4.14 4.15
How reproducible:
always
Steps to Reproduce:
1.Install a Hypershift Guest Cluster. 2. Configure the Any OpenID Identity Provider for the Hypershift Guest Cluster eg. https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-62511 3. Execute the oc login --web $URL command. 4. After adding openshift-cli-client manually it's works # cat oauth.yaml apiVersion: oauth.openshift.io/v1 grantMethod: auto kind: OAuthClient metadata: name: openshift-cli-client redirectURIs: - http://127.0.0.1/callback,http://[::1]/callback respondWithChallenges: false # oc create -f oauth.yaml oauthclient.oauth.openshift.io/openshift-cli-client created $ oc login --web $URL Opening login URL in the default browser: https://oauth-clusters-hypershift-ci-28276.apps.xxxxxxxxxxxxxxxx.com:443/oauth/authorize?client_id=openshift-cli-client&code_challenge=mixnB73nR_yzL58e0lEd4soQH1sn0GjvWEfnX4PNrCg&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A45055%2Fcallback&response_type=code Login successful.
Actual results:
Step 3: The web login process fails and redirects to an error page displaying the error message "error_description": "The client is not authorized to request a token using this method."
Expected results:
OAuthClient 'openshift-cli-client' should not be missing for HyperShift Guest Clusters so that the oc login --web $URL command should work without any issues. As OCP 4.13+ has the OAuthClient 'openshift-cli-client' by default.
Additional info:
The issue can be tracked at the following URL: https://issues.redhat.com/browse/AUTH-444
Root Cause :
Default 'openshift-cli-client' OAuthClient should not be missing for HyperShift Guest Clusters.
- is cloned by
-
OCPBUGS-24269 OAuthClient 'openshift-cli-client' is missing for HyperShift Guest Clusters causing `oc login --web` fails
- Closed
- is depended on by
-
OCPBUGS-24269 OAuthClient 'openshift-cli-client' is missing for HyperShift Guest Clusters causing `oc login --web` fails
- Closed
- relates to
-
AUTH-355 Add OAuth2 Authorization Code Grant Flow login to oc
- Closed
- links to
-
RHEA-2023:7198 rpm
- mentioned on