Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unauthorized error after login with External OIDC #21394

Closed
MohamedAnouar opened this issue May 12, 2022 · 7 comments
Closed

unauthorized error after login with External OIDC #21394

MohamedAnouar opened this issue May 12, 2022 · 7 comments
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/bug Outline of a bug - must adhere to the bug report template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system.

Comments

@MohamedAnouar
Copy link

Describe the bug

When trying to configure eclipse che with external OIDC (keycloak / Azure AD) with AKS version 1.21.2, we run into unauthorized issues after deployment : we used the following configuration file :
spec:
server:
customCheProperties:
CHE_OIDC_USERNAME__CLAIM: "email"
auth:
externalIdentityProvider: true
openShiftoAuth: false
identityProviderURL: "https://login.microsoftonline.com/XXXXXXXX/v2.0"
identityProviderRealm: "XXXXX"
identityProviderClientId: "XXXXX"
oAuthClientName: "XXXX"
identityProviderSecret: "XXXX"
oAuthSecret: "XXXXX"

The command we used to install :

chectl server:deploy
--domain=xxxx.com
--platform=k8s
--telemetry=off
--che-operator-cr-patch-yaml=checluster.yml
--skip-oidc-provider-check

Che version

7.47@latest

Steps to reproduce

  1. Start a AKS cluster on Azure (version used 1.21.2)
  2. login with admin in K8S and start eclipse che deployment. with the following command :
  3. chectl server:deploy
    --domain=xxxx.com
    --platform=k8s
    --telemetry=off
    --che-operator-cr-patch-yaml=checluster.yml
    --skip-oidc-provider-check
  4. login the eclipse with the provided URL
  5. In the eclipse che web interface the is a popup saying "unauthorized"
  6. Click to create a workspace
  7. Error message "unauthorized"

Expected behavior

The user is able to access and to launch the workspace

Runtime

Kubernetes (vanilla)

Screenshots

image

Installation method

chectl/latest

Environment

Linux

Eclipse Che Logs

No response

Additional context

No response
@MohamedAnouar MohamedAnouar added the kind/bug Outline of a bug - must adhere to the bug report template. label May 12, 2022
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label May 12, 2022
@Ryder05
Copy link

Ryder05 commented May 13, 2022

You need to configure you kubernetes API server to use your externel OIDC provider.

#21049 (comment)

@MohamedAnouar
Copy link
Author

Hello, in AKS we already enabled OIDC access :
image

@Ryder05
Copy link

Ryder05 commented May 13, 2022

Hello, in AKS we already enabled OIDC access : image

you need to specify the flags --oidc-issuer-url and --oidc-client-id on the API server.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

I had the same problem as you and i resolved it by confuguring the kube api as this image indicates.
image

@MohamedAnouar
Copy link
Author

Hello

Hello, in AKS we already enabled OIDC access : image

you need to specify the flags --oidc-issuer-url and --oidc-client-id on the API server.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

I had the same problem as you and i resolved it by confuguring the kube api as this image indicates. image
Hello AKS is managed service, activating the OIDC option, is the same as adding the OIDC flag to the API server.

@ScrewTSW ScrewTSW added area/install Issues related to installation, including offline/air gap and initial setup severity/P2 Has a minor but important impact to the usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels May 20, 2022
@MohamedAnouar
Copy link
Author

Any recommendations?

@karatkep
Copy link

@MohamedAnouar I had the same issue for my AKS. So I have patched che-operator to pass access token to AKS. And it solved the issue for me. You can try to add below during server:deploy

--che-operator-image=docker.io/karatkep/che-operator:gamma

Hope it will help you as well.

@che-bot
Copy link
Contributor

che-bot commented Dec 11, 2022

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 11, 2022
@che-bot che-bot closed this as completed Dec 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/bug Outline of a bug - must adhere to the bug report template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P2 Has a minor but important impact to the usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ScrewTSW @che-bot @MohamedAnouar @Ryder05 @karatkep