Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: 4.20.0
Affects Version/s: 4.19.z, 4.20.0
Component/s: oc
Labels:
- pre-merge-tested
- pre-merge-verified

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:
None
Target Version:

4.20
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Before this update, the `oc login -u` command in external OIDC environments succeeded but removed user credentials, causing subsequent `oc` commands to fail. With this release, the `oc login -u` command no longer modifies kubeconfig, preventing subsequent `oc` commands from failing. As a result, the fix prevents `oc login -u` from removing user credentials, ensuring subsequent "oc" commands work correctly. (link:https://issues.redhat.com/browse/OCPBUGS-58393[OCPBUGS-58393])
____
Fixed oc login -u <username> pruning relevant user section in kubeconfig when an external OIDC provider is being used.

Show
* Before this update, the `oc login -u` command in external OIDC environments succeeded but removed user credentials, causing subsequent `oc` commands to fail. With this release, the `oc login -u` command no longer modifies kubeconfig, preventing subsequent `oc` commands from failing. As a result, the fix prevents `oc login -u` from removing user credentials, ensuring subsequent "oc" commands work correctly. (link: https://issues.redhat.com/browse/OCPBUGS-58393 [ OCPBUGS-58393 ]) ____ Fixed oc login -u <username> pruning relevant user section in kubeconfig when an external OIDC provider is being used.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

"oc login -u" in external oidc env can succeed but misleadingly causes following oc commands fail

Version-Release number of selected component (if applicable):

oc 4.20.0-0.nightly-2025-07-01-051543
Server version 4.20.0-0.nightly-2025-07-01-051543

How reproducible:

Always

Steps to Reproduce:

1. Configure external oidc env.

2. Log in successfully:
$ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080
Please visit the following URL in your browser: http://localhost:8080
Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer.

You don't have any projects. Contact your system administrator to request a project.

3. Any other oc operations that may switch contexts like oc config use-context admin.

4. One happens to run below "oc login -u" command, it succeeds:
$ oc login -u oidc-user-test:xxia@redhat.com
Logged into "https://api.xxxx.devcluster.openshift.com:6443" as "oidc-user-test:xxia@redhat.com" using existing credentials.

Using "default" namespace.  You can switch namespaces with:

 oc project <projectname>

5. Run any oc commands like below. All fail:
$ oc whoami
Error from server (Forbidden): users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get resource "users" in API group "user.openshift.io" at the cluster scope

$ oc get project
Error from server (Forbidden): projects.project.openshift.io is forbidden: User "system:anonymous" cannot list resource "projects" in API group "project.openshift.io" at the cluster scope

Checking the kubeconfig, found:
$ cat $KUBECONFIG
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://api.xxxx.devcluster.openshift.com:6443
  name: api-xxxx-devcluster-openshift-com:6443
contexts:
- context:
    cluster: api-xxxx-devcluster-openshift-com:6443
    namespace: default
    user: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443
  name: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com
current-context: default/api-xxxx-devcluster-openshift-com:6443/oidc-user-test:xxia@redhat.com
kind: Config
preferences: {}
users:
- name: oidc-user-test:xxia@redhat.com/api-xxxx-devcluster-openshift-com:6443
  user: {}

Actual results:

Step 4 "oc login -u" can succeed. But following oc commands all fail. The kubeconfig shows credential is modified to be empty "user: {}" by the successful "oc login -u" command, which makes step 5 oc commands fail.

Expected results:

If "oc login -u" shouldn't be supported, a proper warning message should show instead to tell us.

Otherwise, if "oc login -u" should be supported, it should not remove the credential to be empty "user: {}" which makes the following oc commands fail, which is very misleading.

Additional info:

links to

openshift/oc#2075: OCPBUGS-58393: oc login: Preserve ExecProvider on oc login -u

Assignee:: Ondřej Kupka

Reporter:: Xingxing Xia

Need Info From:: None

Contributors:: None

QA Contact:: Ying Zhou

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/07/04 1:18 PM

Updated:: 2025/10/01 2:58 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide