-
Bug
-
Resolution: Unresolved
-
Undefined
-
4.19.z, 4.20.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
Done
-
Bug Fix
-
-
None
-
None
-
None
-
None
Description of problem:
"oc login -u" in external oidc env can succeed but misleadingly causes following oc commands fail
Version-Release number of selected component (if applicable):
oc 4.20.0-0.nightly-2025-07-01-051543 Server version 4.20.0-0.nightly-2025-07-01-051543
How reproducible:
Always
Steps to Reproduce:
1. Configure external oidc env. 2. Log in successfully: $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080 Please visit the following URL in your browser: http://localhost:8080 Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer. You don't have any projects. Contact your system administrator to request a project. 3. Any other oc operations that may switch contexts like oc config use-context admin. 4. One happens to run below "oc login -u" command, it succeeds: $ oc login -u oidc-user-test:xxia@redhat.com Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" using existing credentials. Using "default" namespace. You can switch namespaces with: oc project <projectname> 5. Run any oc commands like below. All fail: $ oc whoami Error from server (Forbidden): users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get resource "users" in API group "user.openshift.io" at the cluster scope $ oc get project Error from server (Forbidden): projects.project.openshift.io is forbidden: User "system:anonymous" cannot list resource "projects" in API group "project.openshift.io" at the cluster scope Checking the kubeconfig, found: $ cat $KUBECONFIG apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://api.xxxx.devcluster.openshift.com:6443 name: api-xxxx-devcluster-openshift-com:6443 contexts: - context: cluster: api-xxxx-devcluster-openshift-com:6443 namespace: default user: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443 name: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com current-context: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com kind: Config preferences: {} users: - name: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443 user: {}
Actual results:
Step 4 "oc login -u" can succeed. But following oc commands all fail. The kubeconfig shows credential is modified to be empty "user: {}" by the successful "oc login -u" command, which makes step 5 oc commands fail.
Expected results:
If "oc login -u" shouldn't be supported, a proper warning message should show instead to tell us. Otherwise, if "oc login -u" should be supported, it should not remove the credential to be empty "user: {}" which makes the following oc commands fail, which is very misleading.
Additional info: