-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.19, 4.20, 4.21
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Customer has feedback and questions about oc login in external oidc. Summarizing the points of them for us to improve the documentation of oc login in external oidc in doc https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/authentication_and_authorization/external-auth .
Version-Release number of selected component (if applicable):
4.19 ~ 4.21
Issues to improve:
1. Document the flag --client-secret is needed for a non-public Application Client in oc login command. 2. Document how to view the JWT tokens of `oc login`, i.e. the JWT tokens file is stored under `~/.kube/cache/oc` by default, or under the directory specified by an env var `export KUBECACHEDIR=/path/to/directory`. Document the JWT token is not stored in kubeconfig. Document the kubeconfig credential fields' structure after the external oidc env's oc login success, i.e. like: $ view kubeconfig ... - name: oidc-user-test:xxia@redhat.com/xxxx:6443 user: exec: apiVersion: client.authentication.k8s.io/v1 args: - get-token - --issuer-url=https://login.microsoftonline.com/xxxx/v2.0 - --client-id=679a03a7-xxxx - --callback-address=127.0.0.1:8080 - --extra-scopes=email,profile command: oc env: null installHint: Please be sure that oc is defined in $PATH to be executed as credentials exec plugin interactiveMode: IfAvailable provideClusterInfo: false 3. Document possible troubleshooting ways when oc login fails, e.g. when hitting 401, users should check the JWT and check the kube-apiserver pods' logs e.g. KAS logs can show `"Unable to authenticate the request" err="[invalid bearer token, oidc: email not verified]` or `"Unable to authenticate the request" err="[invalid bearer token, oidc: parse username claims \"email\": claim not present]"` which can tell users what's wrong.
Additional info: