Can't open GWT-IDE (Che 7) by 'accessing a cross-origin frame' on multi-user with multi-host env.

[monaka]

Description

I tried to open Che7. It looks the broker and instances were started. But the editor wasn't shown.

Reproduction Steps

0. Multi-user Che with Keycloak on Kubernetes (my case is Azure AKS).
1. Create a workspace with Che7 stack.
2. Open the workspace.

OS and version:

Che: 6.18.0-SNAPSHOT (with Keycloak)
Client: ChromeOS Version 71.0.3578.127 (Official Build) (64-bit)

Diagnostics:

Logs on my client

che7?uid=766960:75 Cannot load keycloak settings. This is normal for single-user mode. DOMException: Blocked a frame with origin "https://servert08w6eps-jwtproxy-server-4402.{domain}" from accessing a cross-origin frame.
    at Object.loadKeycloakSettings (https://servert08w6eps-jwtproxy-server-4402.{domain}/OpenTestModelingIni/che7?uid=766960:66:55)
    at setTimeout (https://servert08w6eps-jwtproxy-server-4402.{domain}/OpenTestModelingIni/che7?uid=766960:407:20)
loadKeycloakSettings @ che7?uid=766960:75
setTimeout @ che7?uid=766960:407
setTimeout (async)
(anonymous) @ che7?uid=766960:406

VM386 keycloak.js:911 GET https://keycloak-camino.{domain}/auth/realms/che/protocol/openid-connect/auth?client_id=che-public&redirect_uri=https%3A%2F%2Fservert08w6eps-jwtproxy-server-4402.{domain}%2FOpenTestModelingIni%2Fche7%3Fuid%3D766960&state=8e328f1a-2178-4a0f-a02c-dae36ef78d5d&nonce=8c971f96-4d29-4a82-85e9-be8e8ae12f1e&response_mode=fragment&response_type=code&scope=openid 400
login @ VM386 keycloak.js:911
Keycloak.kc.login @ VM386 keycloak.js:214
doLogin @ VM386 keycloak.js:128
onLoad @ VM386 keycloak.js:151
processInit @ VM386 keycloak.js:196
success @ VM386 keycloak.js:795
Keycloak.kc.init @ VM386 keycloak.js:205
initKeycloak @ VM384 che7:156
script.onload @ VM384 che7:115
load (async)
injectKeycloakScript @ VM384 che7:114
request.onload @ VM384 che7:88

Refused to display 'https://keycloak-camino.{domain}/auth/realms/che/protocol/openid-connect/auth?client_id=che-public&redirect_uri=https%3A%2F%2Fservert08w6eps-jwtproxy-server-4402.c.pizzafactory.jp%2FOpenTestModelingIni%2Fche7%3Fuid%3D766960&state=8e328f1a-2178-4a0f-a02c-dae36ef78d5d&nonce=8c971f96-4d29-4a82-85e9-be8e8ae12f1e&response_mode=fragment&response_type=code&scope=openid' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

[monaka]

My Che is patched. But I guess it isn't related with this issue.

[skabashnyuk]

1. Is dashboard working?
2. Is Che6 workspace working?
3. At which state you see this error. Can you make a screencast?
4. How did you deploy your Keycloak instance?

[monaka]

@skabashnyuk 1. Yes. 2. Yes. 3. Attached here. 4. helm chart (with some patches as #11761 .

[monaka]

Here see the attached screenshot) is the place the first exception raised. This may be a timing issue as it is called from setTimeout (updated: see my next comment).

[monaka]

Additional info. I can spin up my workspace with Theia IDE. But always fails with GWT IDE. I guess this issue is caused by bugs in GWT IDE...

[skabashnyuk]

#12585 (comment) that is expected. Line 72-74 explains this situation. What about next errors in chrome console? Can you share workspace json in runtime curl http://host/api/workspace/workspaceid ?

[monaka]

@skabashnyuk Hmm. I believe that is unexpected.

Here is the detailed message. It seems it is a typical cross-origin frame issue. I've not tested on single-host but it will be reproduced on multi-host environment only.
It will fixed by parent/iframe inter-communication with postMessage().

Exception: DOMException: Blocked a frame with origin "https://serverkm6hd4lf-jwtproxy-server-4402.{domain}" from accessing a cross-origin frame. at https://serverkm6hd4lf-jwtproxy-server-4402.{domain}

[skabashnyuk]

Can you share workspace json in runtime curl http://host/api/workspace/workspaceid ?

[monaka]

I couldn't find /api/workspace/workspaceid in Swagger. So I got via https://{{host}}/api/workspace/namespace/OpenTestModelingIni?status=RUNNING (actually, {{host}} is valid DNS domain name.)

[
  {
    "namespace": "OpenTestModelingIni",
    "status": "RUNNING",
    "config": {
      "environments": {
        "default": {
          "recipe": {
            "contentType": "application/x-yaml",
            "type": "kubernetes",
            "content": "kind: List\nitems:\n - \n  apiVersion: v1\n  kind: Pod\n  metadata:\n   name: ws\n  spec:\n   containers:\n    - \n     image: wsskeleton/che-plugin-dev-tooling\n     name: dev\n     resources:\n      limits:\n       memory: 512Mi\n"
          },
          "machines": {
            "ws/dev": {
              "env": {},
              "servers": {},
              "volumes": {
                "projects": {
                  "path": "/projects"
                }
              },
              "installers": [],
              "attributes": {
                "memoryLimitBytes": "536870912"
              }
            }
          }
        }
      },
      "commands": [
        {
          "commandLine": "echo ${CHE_OSO_CLUSTER//api/console}",
          "name": "Get OpenShift Console URL",
          "type": "custom",
          "attributes": {}
        }
      ],
      "projects": [],
      "defaultEnv": "default",
      "name": "che7",
      "attributes": {
        "editor": "org.eclipse.che.editor.gwt:1.0.0",
        "plugins": "che-machine-exec-plugin:0.0.1"
      },
      "links": []
    },
    "temporary": false,
    "links": {
      "self": "https://{{host}}/api/workspace/workspaceav2iih4dt3395scm",
      "ide": "https://{{host}}/OpenTestModelingIni/che7",
      "environment/statusChannel": "wss://{{host}}/api/websocket",
      "environment/outputChannel": "wss://{{host}}/api/websocket"
    },
    "id": "workspaceav2iih4dt3395scm",
    "attributes": {
      "org.eclipse.che.runtimes_id": "runtimesrxtsjchpzzb5vy40",
      "updated": "1549932879521",
      "created": "1547779666146",
      "stackId": "che7-preview-plugin-dev"
    }
  }
]

[monaka]

I traced code and see some more. The DOMException is caught by catch and falls down. But it fails to authenticate by 400 error because the origin is jwt-proxy. Not the API endpoint. (by redirect_uri restriction)

This looks be a bug. I'll send PR later.

[skabashnyuk]

@monaka duplicate #12273 ?

[monaka]

@skabashnyuk I inspected for a week. It looks bingo (duplicate #12273). This issue is close to #12273 but not duplicate #12273. I could get the screenshot similar to #12273 after I applied some patches to my fork.

[che-bot]

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.