Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-58393

"oc login -u" in external oidc env can succeed but misleadingly causes following oc commands fail

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      * Before this update, the `oc login -u` command in external OIDC environments succeeded but removed user credentials, causing subsequent `oc` commands to fail. With this release, the `oc login -u` command no longer modifies kubeconfig, preventing subsequent `oc` commands from failing. As a result, the fix prevents `oc login -u` from removing user credentials, ensuring subsequent "oc" commands work correctly. (link:https://issues.redhat.com/browse/OCPBUGS-58393[OCPBUGS-58393])
      ____
      Fixed oc login -u <username> pruning relevant user section in kubeconfig when an external OIDC provider is being used.
      Show
      * Before this update, the `oc login -u` command in external OIDC environments succeeded but removed user credentials, causing subsequent `oc` commands to fail. With this release, the `oc login -u` command no longer modifies kubeconfig, preventing subsequent `oc` commands from failing. As a result, the fix prevents `oc login -u` from removing user credentials, ensuring subsequent "oc" commands work correctly. (link: https://issues.redhat.com/browse/OCPBUGS-58393 [ OCPBUGS-58393 ]) ____ Fixed oc login -u <username> pruning relevant user section in kubeconfig when an external OIDC provider is being used.
    • None
    • None
    • None
    • None

      Description of problem:

      "oc login -u" in external oidc env can succeed but misleadingly causes following oc commands fail
      

      Version-Release number of selected component (if applicable):

      oc 4.20.0-0.nightly-2025-07-01-051543
      Server version 4.20.0-0.nightly-2025-07-01-051543
      

      How reproducible:

      Always
      

      Steps to Reproduce:

      1. Configure external oidc env.
      
      2. Log in successfully:
      $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080
      Please visit the following URL in your browser: http://localhost:8080
      Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer.
      
      You don't have any projects. Contact your system administrator to request a project.
      
      3. Any other oc operations that may switch contexts like oc config use-context admin.
      
      4. One happens to run below "oc login -u" command, it succeeds:
      $ oc login -u oidc-user-test:xxia@redhat.com
      Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" using existing credentials.
      
      Using "default" namespace.  You can switch namespaces with:
      
       oc project <projectname>
      
      5. Run any oc commands like below. All fail:
      $ oc whoami
      Error from server (Forbidden): users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get resource "users" in API group "user.openshift.io" at the cluster scope
      
      $ oc get project
      Error from server (Forbidden): projects.project.openshift.io is forbidden: User "system:anonymous" cannot list resource "projects" in API group "project.openshift.io" at the cluster scope
      
      Checking the kubeconfig, found:
      $ cat $KUBECONFIG
      apiVersion: v1
      clusters:
      - cluster:
          certificate-authority-data: DATA+OMITTED
          server: https://api.xxxx.devcluster.openshift.com:6443
        name: api-xxxx-devcluster-openshift-com:6443
      contexts:
      - context:
          cluster: api-xxxx-devcluster-openshift-com:6443
          namespace: default
          user: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443
        name: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com
      current-context: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com
      kind: Config
      preferences: {}
      users:
      - name: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443
        user: {}
      

      Actual results:

      Step 4 "oc login -u" can succeed. But following oc commands all fail. The kubeconfig shows credential is modified to be empty "user: {}" by the successful "oc login -u" command, which makes step 5 oc commands fail.

      Expected results:

      If "oc login -u" shouldn't be supported, a proper warning message should show instead to tell us.
      
      Otherwise, if "oc login -u" should be supported, it should not remove the credential to be empty "user: {}" which makes the following oc commands fail, which is very misleading.

      Additional info:

       

              rh-ee-okupka Ondřej Kupka
              xxia-1 Xingxing Xia
              None
              None
              Ying Zhou Ying Zhou
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: