Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.20.0
Component/s: Management Console
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

There is an issue with the session handling for the special kube:admin user. 

When the session's access token expires (as defined by accessTokenMaxAgeSeconds in the OAuth configuration), the console receives a 401 Unauthorized error. This 401 error incorrectly triggers the standard logout flow instead of the specific flow required for kube:admin.

As noted in the console's own source code, the kube:admin user requires a special logout process (logoutKubeAdmin function) to clear a session cookie on the OAuth server. 

Because this special process is not being called upon token expiry, the OAuth server immediately re-issues a token, logging the user back in without any user interaction. This prevents the session from properly terminating.

Version-Release number of selected component (if applicable):

4.20, 4.19.z, 4.18.z, 4.17.z, 4.16.z, 4.15.z

How reproducible:

Always

Steps to Reproduce:

1. Log in to the web console as the kube:admin user.

2. Set the accessTokenMaxAgeSeconds. You can do with this command: 

oc patch oauth cluster --type='merge' -p='{"spec":{"tokenConfig":{"accessTokenMaxAgeSeconds":10}}}'

3. Wait for the session's access token to expire based on the accessTokenMaxAgeSeconds duration.

4. After the token has expired, perform any action in the console that requires an API call (e.g., navigating to a new page or refreshing data).

5.Observe the application's behavior.

Actual results:

The 401 error triggers a standard logout, but the user is immediately and automatically logged back into the console. The page will reload, but the session is seamlessly re-established without prompting for credentials.

Expected results:

When the kube:admin token expires and a 401 error is received, the user should be fully logged out and redirected to the login page. They should be required to re-authenticate to start a new session.

Additional info:

Root Cause AnalysisThe problem lies in the global error handling logic for API requests.

When an API request fails with a 401 Unauthorized status after the token has expired, the logic:

console/frontend/public/co-fetch.ts:56-58

if (response.status === 401 && shouldLogout(url)) {
  authSvc.logout(next);
}


This code invokes the standard authSvc.logout() function. However, the kube:admin user requires a special logout handler, logoutKubeAdmin(), to function correctly, as documented in console/frontend/public/module/auth.js:99-102, function logoutKubeAdmin

The current implementation bypasses this required logoutKubeAdmin function, failing to clear the necessary server-side session cookie and causing the immediate re-authentication loop. The error handler needs to be updated to check if the current user is kube:admin and call the appropriate logout function. Should be an easy fix.

Assignee:: Unassigned

Reporter:: Leo Li

Need Info From:: None

Contributors:: None

QA Contact:: YaDan Pei

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/08/12 3:24 PM

Updated:: 2025/09/22 2:10 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide