failures on OIDC users to create robot account in their projects

[sicko583]

Hi team,

We are running Harbor on v2.10.2 and with OIDC integration with Keycloak.

We happen to find that the OIDC users can not create robot account in their projects. No errors found during the creation, seems to be some frontend display issue:

The workaround is to grant the customer with project admin access instead of OIDC groups, then he can create robot account as expected. But this may bring another issue when login with robot account:

[root@DI2CNCTU0176WNB ~]# docker login https://harbor.xxx
Username: robot$client-test+testing
Password:
Error response from daemon: Get https://harbor.xxx/v2/: unauthorized: authentication required

some logs in core found:

2024-06-21T09:29:20Z [ERROR] [/server/middleware/security/robot.go:58][requestID="69edae9dd49c89eb0dd38c90ddeba9b1"]: failed to authenticate robot account: robot$client-test+testing
2024-06-21T09:29:20Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="10.27.63.71" requestID="69edae9dd49c89eb0dd38c90ddeba9b1" user agent="docker/1.13.1 go/go1.10.3 kernel/5.10.16.3-microsoft-standard-WSL2 os/linux arch/amd64 UpstreamClient(Docker-Client/1.13.1 \(linux\))"]: failed to authenticate user:robot$client-test+testing, error:not supported

The only way to fix that is to create a robot account in global settings, then grant project access, and it goes fine as expected.

Does this impact by robot access changes in new version?

[MinerYang]

Hi @sicko583 ,

This is a known issue (#19928) that has been fixed in v2.11. Sorry for the inconvenience.

[sicko583]

Hi @sicko583 ,

This is a known issue (#19928) that has been fixed in v2.11. Sorry for the inconvenience.

Thanks for your help @MinerYang , I just found that v2.11.0 was released two weeks ago, I will have a try with v2.11.