-
Bug
-
Resolution: Done
-
Undefined
-
4.19.z, 4.20.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
Done
-
Bug Fix
-
-
None
-
None
-
None
-
None
Description of problem:
"oc login -u" in external oidc env can succeed but misleadingly causes following oc commands fail
Version-Release number of selected component (if applicable):
oc 4.20.0-0.nightly-2025-07-01-051543 Server version 4.20.0-0.nightly-2025-07-01-051543
How reproducible:
Always
Steps to Reproduce:
1. Configure external oidc env.
2. Log in successfully:
$ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080
Please visit the following URL in your browser: http://localhost:8080
Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer.
You don't have any projects. Contact your system administrator to request a project.
3. Any other oc operations that may switch contexts like oc config use-context admin.
4. One happens to run below "oc login -u" command, it succeeds:
$ oc login -u oidc-user-test:xxia@redhat.com
Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" using existing credentials.
Using "default" namespace. You can switch namespaces with:
oc project <projectname>
5. Run any oc commands like below. All fail:
$ oc whoami
Error from server (Forbidden): users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get resource "users" in API group "user.openshift.io" at the cluster scope
$ oc get project
Error from server (Forbidden): projects.project.openshift.io is forbidden: User "system:anonymous" cannot list resource "projects" in API group "project.openshift.io" at the cluster scope
Checking the kubeconfig, found:
$ cat $KUBECONFIG
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://api.xxxx.devcluster.openshift.com:6443
name: api-xxxx-devcluster-openshift-com:6443
contexts:
- context:
cluster: api-xxxx-devcluster-openshift-com:6443
namespace: default
user: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443
name: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com
current-context: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com
kind: Config
preferences: {}
users:
- name: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443
user: {}
Actual results:
Step 4 "oc login -u" can succeed. But following oc commands all fail. The kubeconfig shows credential is modified to be empty "user: {}" by the successful "oc login -u" command, which makes step 5 oc commands fail.
Expected results:
If "oc login -u" shouldn't be supported, a proper warning message should show instead to tell us.
Otherwise, if "oc login -u" should be supported, it should not remove the credential to be empty "user: {}" which makes the following oc commands fail, which is very misleading.
Additional info: