It's not possible to get access token for CHE with oAuth on OCP 3.11

[artaleks9]

Describe the bug

• When Che with oAuth is installed on OCP 3.11 command getting access_token returns null.
• Thus the chectl:workspace commands can't be performed for this case.

Che version

• latest
• nightly
• other: please specify

Steps to reproduce

• Che is installed with oAuth on OCP 3.11
• Login in the Che Dashboard (Note: it's important step, see the doc)
• Perform commands to get access_token (see PR):

KEYCLOAK_URL="https://$(oc get routes/keycloak -n ${productNamespace} -o jsonpath='{.spec.host}')/auth"
OS_TOKEN=$(oc whoami --show-token)
AT=$(curl -k -X POST -d "client_id=che-public" -d "subject_token=${OS_TOKEN}" -d "subject_issuer=openshift-v3" --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" $KEYCLOAK_URL/realms/che/protocol/openid-connect/token | jq -r .access_token)

Actual behavior

[ashmaraiev@localhost tmp]$ KEYCLOAK_URL=https://keycloak-aleks-che-oauth-test.apps.ocp311.crw/
[ashmaraiev@localhost tmp]$ echo $KEYCLOAK_URL
https://keycloak-aleks-che-oauth-test.apps.ocp311.crw/
[ashmaraiev@localhost tmp]$ OS_TOKEN=$(oc whoami --show-token)
[ashmaraiev@localhost tmp]$ echo $OS_TOKEN 
<some token>

[ashmaraiev@localhost tmp]$ ACCESS_TOKEN=$(curl -k -X POST -d client_id=che-public -d subject_token=$OS_TOKEN -d subject_issuer=openshift-v3 --data-urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange --data-urlencode subject_token_type=urn:ietf:params:oauth:token-type:access_token https://keycloak-aleks-che-oauth-test.apps.ocp311.crw/auth/realms/che/protocol/openid-connect/token | jq -r .access_token)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   331  100    81  100   250     88    273 --:--:-- --:--:-- --:--:--   361
[ashmaraiev@localhost tmp]$ echo $ACCESS_TOKEN 
null
[ashmaraiev@localhost tmp]$ 

Expected behavior

• Access_token should be a string value

Runtime

• Openshift (include output of oc version)

[ashmaraiev@localhost ~]$ oc version
Client Version: 4.5.

Installation method

• chectl

[tolusha]

Why did you use subject_issuer=openshift-v4 ?

[tolusha]

If AT=$(curl ..) command prints null, pls provide the output the curl command itself

[artaleks9]

Fixed command, it was a copy / paste. Really it was used openshift-v3
We can see output of command in the 'Actual behavior' section:

[ashmaraiev@localhost tmp]$ ACCESS_TOKEN=$(curl -k -X POST -d client_id=che-public -d subject_token=$OS_TOKEN -d subject_issuer=openshift-v3 --data-urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange --data-urlencode subject_token_type=urn:ietf:params:oauth:token-type:access_token https://keycloak-aleks-che-oauth-test.apps.ocp311.crw/auth/realms/che/protocol/openid-connect/token | jq -r .access_token)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   331  100    81  100   250     88    273 --:--:-- --:--:-- --:--:--   361

null returns 'echo $AT'

[tolusha]

I need the output just for curl command
And what does oc whoami prints ?

[artaleks9]

[ashmaraiev@localhost ~]$ oc whoami
admin

• What do you exactly mean about I need the output just for curl command?
  What I can do for it?

[tolusha]

What I can do for it?

Don't use $() and don't pipe the output to jq command

[artaleks9]

Done.

[ashmaraiev@localhost ~]$ curl -k -X POST -d "client_id=che-public" -d "subject_token=${OS_TOKEN}" -d "subject_issuer=openshift-v3" --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" --data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token" https://keycloak-aleks-che-oauth-test.apps.ocp311.crw/auth/realms/che/protocol/openid-connect/token
[ashmaraiev@localhost ~]$

[tolusha]

13:51:07,423 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: java.lang.NullPointerException
--
  | at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
  | at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
  | at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
  | at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
  | at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
  | at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
  | at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
  | at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
  | at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
  | at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
  | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  | at java.lang.reflect.Method.invoke(Method.java:498)

[tolusha]

I would say It has never worked.
Investigation shows that there is an issue with keycloak which has been fixed in 7.0.x version.
Execution the following code [1] [2] leads to NPE since metadata field is retrieved twice in row.
It isn't the case for OpenShift 4.x since we use a patched version of identity provider [3]

[1] https://github.com/keycloak/keycloak/blob/6.0.1/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProvider.java#L87
[2] https://github.com/keycloak/keycloak/blob/6.0.1/services/src/main/java/org/keycloak/social/openshift/OpenshiftV3IdentityProvider.java#L59
[3] https://github.com/che-incubator/KEYCLOAK-10169-OpenShift4-User-Provider/blob/master/src/main/java/org/keycloak/social/openshift/OpenshiftV4IdentityProvider.java

[dmytro-ndp]

This issue hasn't been reproduced in CRW 2.6.0 and CRW 2.5.x https://issues.redhat.com/browse/CRW-1509?focusedCommentId=15684137&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15684137

[tolusha]

Interesting. I will check, maybe rh-sso image has been updated since then.

[tolusha]

Not actual for CRW deployment but it is still an issue for Eclipse Che.

[che-bot]

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.