Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44173

[4.16] Could not login to some OAuth 2.0 IDP like Google if the IDP name has spaces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.16.z
    • oauth-apiserver
    • None
    • Important
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:
      Could not login to some OAuth 2.0 IDP like Google, if the IDP name has spaces. Others like GitHub IDP works well without such issue. This is found in 4.16 env.

      4.17 and 4.18 should have same issue, but they first have another separate panic bug OCPBUGS-44099 that blocks Google IDP with spaces in name to be able to be tested wrt the login function.

      Now OCPBUGS-44099 is fixed. From the test results there, not only the panic is fixed, but the login to Google IDP with spaces in name is also BTW fixed!

      So, creating this separate bug for 4.16 which should also be fixed to make login works well for such IDP.

      Version-Release number of selected component (if applicable):

      4.16.20

      How reproducible:

      Always

      Steps to Reproduce:

      1. Configure Google IDP with spaces in name, like 'my Google idp':
$ oc create secret generic google-secret-1 --from-file=clientSecret=google-client-secret-1.txt -n openshift-config

$ oc patch oauth cluster --type=merge -p="
spec:
  identityProviders:
  - google:
      clientID: 9745..snipped...apps.googleusercontent.com
      clientSecret:
        name: google-secret-1 
      hostedDomain: redhat.com
    mappingMethod: claim
    name: 'my Google idp'
    type: Google
"

2. Given the idp name includes spaces, urlencode it so that the Authorized redirect URIs will be filled in with it:
$ urlencode 'my Google idp'
my%20Google%20idp

In Google OAuth app setting page, fill in the Authorized redirect URIs with https://<oauth_route_snipped>/oauth2callback/my%20Google%20idp .

3. Open the OpenShift console, it shows the "my Google idp" IDP. Click it to try login.

       

      Actual results:
      3. Console login fails with the browser showing below (here is the screenshot ).

      ```
      Access blocked: Authorization Error

      You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
      You can let the app developer know that this app doesn't comply with one or more Google validation rules.
      Learn more about this error
      If you are a developer of myauthtest, see error details.
      Error 400: invalid_request
      ```

      Expected results:

      Console should login successfully, given 4.18 already fixed it via OCPBUGS-44099 .

       

      Additional info:

       

            Unassigned Unassigned
            xxia-1 Xingxing Xia
            Xingxing Xia Xingxing Xia
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: