Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.14.z, 4.20
Component/s: apiserver-auth
Labels:
None

Work Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Couldn't login to OpenID Connect IDP with groups sync when IDP name includes spaces.

Note, if the the groups sync is removed from the OpenID Connect IDP configuration, then Console login succeeds without issue.

Version-Release number of selected component (if applicable):

Found in 4.20.0-0.nightly-2025-05-29-041615.
Then checked in earlier release 4.14.0-0.nightly-2025-05-28-142903, hit same.

How reproducible:

Always

Steps to Reproduce:

1. Configure IDPs as below. Note it has groups sync when OpenID Connect IDP name includes spaces:
$ oc edit oauth cluster
...
spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpass-secret
    mappingMethod: claim
    name: flexy-htpasswd-provider
    type: HTPasswd
  - mappingMethod: claim
    name: Microsoft Entra ID
    openID:
      claims:
        email:
        - email
        groups:
        - groups
        name:
        - name
        preferredUsername:
        - preferred_username
      clientID: 3afe47eb-XXXXXXXX
      clientSecret:
        name: microsoft-entra-id-secret
      extraScopes:
      - email
      - profile
      issuer: https://login.microsoftonline.com/604XXXXXXXX/v2.0
    type: OpenID
2. Log in to OpenShift Console

Actual results:

Login to OpenShift Console failed. The page returned:
An authentication error occurred.

Check oauth-openshift pods' logs, found:
2025-05-30T12:50:06.681068951Z E0530 12:50:06.681016       1 errorpage.go:28] AuthenticationError: Group.user.openshift.io "xxia-testgroup1" is invalid: metadata.annotations: Invalid value: "oauth.openshift.io/idp.Microsoft Entra ID": name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')

Expected results:
Login to OpenShift Console should succeed by handling special characters well. Otherwise the fix of ~~OCPBUGS-44099~~ and ~~OCPBUGS-42772~~ to allow spaces in IDP name might be challenged.

Additional info:

Sorry my bad I didn't discover this, before.

is related to

OCPBUGS-42772 Go's 1.22 net/http.ServeMux causes oauth-server to panic with idp names that contain whitespacs

Closed

Assignee:: Unassigned

Reporter:: Xingxing Xia

Need Info From:: None

Contributors:: None

QA Contact:: Xingxing Xia

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/05/30 1:07 PM

Updated:: 2025/06/12 5:29 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates