Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-8777

oauth-server with a single non-login identity provider creates a fail loop with console

XMLWordPrintable

    • Low
    • None
    • Unspecified
    • Hide
      * Previously, the console would continue attempting to authenticate if the cluster authentication configuration caused errors and no error was displayed. With this update, the authentication logic was updated to redirect to an error page when the authentication response returns an error, and provides information for next steps. (link:https://issues.redhat.com/browse/OCPBUGS-8777[*OCPBUGS-8777*])
      Show
      * Previously, the console would continue attempting to authenticate if the cluster authentication configuration caused errors and no error was displayed. With this update, the authentication logic was updated to redirect to an error page when the authentication response returns an error, and provides information for next steps. (link: https://issues.redhat.com/browse/OCPBUGS-8777 [* OCPBUGS-8777 *])
    • Bug Fix
    • Done

      Description of problem:
      When configured with a single identity provider that's not capable of login authentication flows, the oauth-server returns error when accessed from the browser. When the oauth-server is accessed from the web console, this error causes redirect loop between the oauth-server and the console.

      Version-Release number of selected component (if applicable):
      4.5

      How reproducible:
      100%

      Steps to Reproduce:
      1. configure request header IdP with some bogus ChallengeURL and no LoginURL
      2. disable the kubeadmin user by deleting the kube-system/kubeadmin secret
      3. wait for the changes to be applied to the oauth-server's deployment
      4. go to the console's URL

      Actual results:
      The console tries to access a resource, gets "unauthorized" error, redirects user to the oauth-server, the oauth-server errors out because it does not allow browser login, redirects user to console, and the loop repeats infinitely.

      Expected results:
      The oauth-server presents the user with a login page that won't allow them to log in OR the server errors out with a clear error that tells the console not to try to loop back to it again.

            rh-ee-jonjacks Jon Jackson
            slaznick@redhat.com Stanislav Láznička
            Yanping Zhang Yanping Zhang
            Red Hat Employee
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: