Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.20.0
Component/s: Management Console
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Critical
Regression:
None
Epic Link:
CNTRLPLANE-1321

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

After configure external odic provider in authentication cluster, cannot login to console, always endless loop to redirect to console.

Version-Release number of selected component (if applicable):

    v 4.20

How reproducible:

     always

Steps to Reproduce:

    1. Install external identity provider and configure callbackURL : https://<console_route>/auth/callback
    2. Login to openshift  and enable exteral oidc feature
    $oc patch featuregate/cluster -p   '{"spec":{"featureSet": "TechPreviewNoUpgrade"}}'  --type=merge
     
    3. Create secret with  client secret
        $oc create secret generic gitlab-secret --from-literal=clientSecret=<client-secret> -n openshift-config

    4. Configure gitlab as oidc provider 
```
  spec:
  oidcProviders:
  - claimMappings:
      groups:
        claim: groups
        prefix: 'oidc-groups-test:'
      username:
        claim: "email"
        prefixPolicy: "Prefix"
        prefix:
          prefixString: "oidc-user-test:"
    name: gitlab-oidc
    issuer:
      issuerURL: "https://gitlab.com"
      audiences:
      - "<CONSOLE_CLIENT_ID"
    oidcClients:
    - clientID: "<CLIENT_ID>"
      clientSecret:
        name: "gitlab-secret"
      componentName: console
      componentNamespace: openshift-console
   type: "OIDC"
```
     5. Login with openshift-console,  always  redirect  page with a dead loop, 

      6.Check apiserver log：
Unable to authenticate the request" err="[invalid bearer token, oidc: parse username claims \"email\": claim not present]"

Actual results:
Cannot login to console with external idp provider, here's screenshot: https://drive.google.com/file/d/1-1I_z256Ff54HK0JTxHWBB0gIivpAcWG/view

    Expected results:{code:none}
   Should login in console successfully

Additional info:

is documented by

OCPBUGS-64627 Need add note if Console is not enabled, `oidcClients` should not be set when setting external oidc

ASSIGNED

relates to

OCPBUGS-64943 Runtime error when parsing user from request context

POST

Assignee:: Jon Jackson

Reporter:: Wen Wang

Need Info From:: None

Contributors:: None

QA Contact:: Wen Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/07/16 1:09 AM

Updated:: 2025/11/21 12:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates