Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Hosted che] Openshift oAuth returns invalid token #17020

Closed
22 tasks
vinokurig opened this issue May 26, 2020 · 7 comments
Closed
22 tasks

[Hosted che] Openshift oAuth returns invalid token #17020

vinokurig opened this issue May 26, 2020 · 7 comments
Labels
area/hosted-che kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.

Comments

@vinokurig
Copy link
Contributor

Openshift oAuth provider returns invalid token for the Openshift which runs hosted Che.

Describe the bug

Che version

  • latest
  • nightly
  • other: please specify

Steps to reproduce

  1. Create a workpspace with openshift connector plugin.
  2. Start the workspace
  3. See error:
    screenshot-che openshift io-2020 05 26-13_09_12
  4. Open terminal for the openshift-connector sidecar
  5. Execute curl -H 'Authorization: Bearer <user token>' https://che.openshift.io/api/oauth/token?oauth_provider=openshift and see the token
  6. execute oc get user --token <token from the request>
  7. See authorisation error.

It is strange that the oauth/token request can return a token even without specifying oauth_provider parameter (curl -H 'Authorization: Bearer <user token>' https://che.openshift.io/api/oauth/token)

Expected behavior

The token must be valid

Runtime

  • kubernetes (include output of kubectl version)
  • Openshift (include output of oc version)
  • minikube (include output of minikube version and kubectl version)
  • minishift (include output of minishift version and oc version)
  • docker-desktop + K8S (include output of docker version and kubectl version)
  • other: (please specify)

Screenshots

Installation method

  • chectl
    • provide a full command that was used to deploy Eclipse Che (including the output)
    • provide an output of chectl version command
  • OperatorHub
  • I don't know

Environment

  • my computer
    • Windows
    • Linux
    • macOS
  • Cloud
    • Amazon
    • Azure
    • GCE
    • other (please specify)
  • other: please specify

Eclipse Che Logs

Additional context
@vinokurig vinokurig added kind/bug Outline of a bug - must adhere to the bug report template. area/hosted-che labels May 26, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label May 26, 2020
@vinokurig vinokurig mentioned this issue May 26, 2020
Merged
@ibuziuk
Copy link
Member

ibuziuk commented May 26, 2020

sorry, not following what is the expected behaviour? Have you seen #16890 ?

@vinokurig
Copy link
Contributor Author

The expected behaviour should be a valid openshift token response from the curl -H 'Authorization: Bearer <user token>' https://che.openshift.io/api/oauth/token?oauth_provider=openshift request

@vinokurig
Copy link
Contributor Author

#16890 needs this to login automatically

@skabashnyuk skabashnyuk added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels May 26, 2020
@ibuziuk
Copy link
Member

ibuziuk commented May 27, 2020

@vinokurig could you clarify how the plugin works atm? as you can see it login to the *-che namespace:

https://user-images.githubusercontent.com/1461122/81581490-1808a100-93af-11ea-9cf2-fd8a44a7f262.png

I do not understand what is expected to be done on Hosted Che end. Also see: #16890 (comment)

@vinokurig
Copy link
Contributor Author

@ibuziuk

could you clarify how the plugin works atm? as you can see it login to the *-che namespace:

It is loged in as system:serviceaccount:*-che:che-workspace (oc whoami output) but to get access to the user's cluster:
screenshot-che openshift io-2020 05 27-17_28_14
I've logged in via login and password, but to automate the login flow we need the user openshift token which can be received by the oAuth API. The oauth API works nice in my local minishift assembly but https://che.openshift.io/api/oauth/token API request returns an invalid token.

@ibuziuk
Copy link
Member

ibuziuk commented Jun 1, 2020

@vinokurig based on the #16890 (comment) It looks like it is not a good idea to fall back on che specific API. Also, I do not understand why if the login is failing the OpenShift connector still logs in to the *-che namespace correctly? (what login mechanism is used there?)

https://user-images.githubusercontent.com/1461122/81581490-1808a100-93af-11ea-9cf2-fd8a44a7f262.png

@ericwill wdyt about closing the issue in favor of #16890 and continue the discussion in one place?

@ericwill
Copy link
Contributor

ericwill commented Jun 1, 2020

@ericwill wdyt about closing the issue in favor of #16890 and continue the discussion in one place?

Yes, sure. @vinokurig let's continue the discussion in #16890

@ericwill ericwill closed this as completed Jun 1, 2020
@ibuziuk ibuziuk mentioned this issue Jun 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/hosted-che kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ibuziuk @skabashnyuk @ericwill @vinokurig @che-bot