Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub oauth request/token flow is broken in 3.7.0-alpha.1 #16078

Closed
smarterclayton opened this issue Aug 31, 2017 · 1 comment
Closed

GitHub oauth request/token flow is broken in 3.7.0-alpha.1 #16078

smarterclayton opened this issue Aug 31, 2017 · 1 comment
Assignees
@enj
Labels
area/security component/auth kind/bug Categorizes issue or PR as related to a bug. kind/delivery-blocker priority/P0

Comments

@smarterclayton
Copy link
Contributor

https://api.ci.openshift.org/oauth/token/request

Goes to GitHub, auth correctly, then comes back and reports:

Error getting token: The client is not authorized to request a token using this method. 

Request another token

We checked the openshift-browser-client secret, reset, and restarted.

Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: I0831 14:26:34.281605   66362 wrap.go:42] GET /apis/oauth.openshift.io/v1/oauthclientauthorizations/smarterclayton:openshift-browser-client: (955.975µs) 404 [[openshift/v1.7.0+695f48a16f (linux/amd64) kubernet
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: I0831 14:26:34.283842   66362 wrap.go:42] GET /apis/oauth.openshift.io/v1/oauthclients/openshift-browser-client: (1.165796ms) 200 [[openshift/v1.7.0+695f48a16f (linux/amd64) kubernetes/d2e5420] 10.128.0.2:4407
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: I0831 14:26:34.286309   66362 wrap.go:42] POST /apis/oauth.openshift.io/v1/oauthauthorizetokens: (4.200209ms) 201 [[openshift/v1.7.0+695f48a16f (linux/amd64) kubernetes/d2e5420] 10.128.0.2:44070]
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: I0831 14:26:34.286786   66362 wrap.go:42] GET /oauth/authorize?client_id=openshift-browser-client&redirect_uri=https%3A%2F%2Fapi.ci.openshift.org%2Foauth%2Ftoken%2Fdisplay&response_type=code: (8.469858ms) 302
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: I0831 14:26:34.332308   66362 wrap.go:42] GET /apis/oauth.openshift.io/v1/oauthclients/openshift-browser-client: (1.263523ms) 200 [[openshift/v1.7.0+695f48a16f (linux/amd64) kubernetes/d2e5420] 10.128.0.2:4407
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: I0831 14:26:34.332597   66362 wrap.go:42] POST /oauth/token: (2.001652ms) 400 [[Go-http-client/2.0] 104.198.208.39:50210]
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: I0831 14:26:34.332980   66362 wrap.go:42] GET /oauth/token/display?code=SOME_REALLY_LONG_CODE&state=: (2.843432ms) 500
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: goroutine 4567248 [running]:
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/httplog.(*respLogger).recordStatus(0xc432257570, 0x1f4)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/httplog/httplog.go:207 +0xdd
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/httplog.(*respLogger).WriteHeader(0xc432257570, 0x1f4)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/httplog/httplog.go:186 +0x35
# Please edit the object below. Lines beginning with a '#' will be ignored,
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters.(*baseTimeoutWriter).WriteHeader(0xc423fc69c0, 0x1f4)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters/timeout.go:185 +0xb5
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/pkg/auth/server/tokenrequest.(*endpointDetails).displayToken(0xc4216b09e0, 0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/pkg/auth/server/tokenrequest/endpoints.go:71 +0x484
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/pkg/auth/server/tokenrequest.(*endpointDetails).(github.com/openshift/origin/pkg/auth/server/tokenrequest.displayToken)-fm(0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/pkg/auth/server/tokenrequest/endpoints.go:41 +0x48
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: net/http.HandlerFunc.ServeHTTP(0xc421741980, 0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /usr/lib/golang/src/net/http/server.go:1942 +0x44
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/vendor/github.com/gorilla/context.ClearHandler.func1(0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/github.com/gorilla/context/context.go:141 +0x8b
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: net/http.HandlerFunc.ServeHTTP(0xc4216b0ae0, 0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /usr/lib/golang/src/net/http/server.go:1942 +0x44
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: net/http.(*ServeMux).ServeHTTP(0xc42170c4e0, 0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /usr/lib/golang/src/net/http/server.go:2238 +0x130
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters.WithMaxInFlightLimit.func1(0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters/maxinflight.go:96 +0x311
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: net/http.HandlerFunc.ServeHTTP(0xc42169e000, 0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /usr/lib/golang/src/net/http/server.go:1942 +0x44
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters.WithCORS.func1(0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters/cors.go:75 +0x189
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: net/http.HandlerFunc.ServeHTTP(0xc42165f5c0, 0x7f3bd907fee8, 0xc431a655f8, 0xc42568f600)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /usr/lib/golang/src/net/http/server.go:1942 +0x44
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP.func1(0xc4216b1500, 0xef3b860, 0xc431a655f8, 0xc42568f600, 0xc4211e57a0)
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters/timeout.go:91 +0x8d
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: created by github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: /tmp/openshift/build-rpm-release/tito/rpmbuild-origint1Stjl/BUILD/origin-3.7.0/_output/local/go/src/github.com/openshift/origin/vendor/k8s.io/apiserver/pkg/server/filters/timeout.go:93 +0x1c0
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: logging error output: "\n<style>\n\tbody     { font-family: sans-serif; font-size: 14px; margin: 2em 2%; background-color: #F9F9F9; }\n\th2       { font-size: 1.4em;}\n\th3       { font-size: 1em; margin: 1.5e
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: logging error output: "\n  "
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: logging error output: "Error getting token: The client is not authorized to request a token using this method."
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: logging error output: "\n"
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: logging error output: "\n\n<br><br>\n<a href=\""
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: logging error output: "request"
Aug 31 14:26:34 origin-ci-ig-m-11v4 atomic-openshift-master-api[66362]: logging error output: "\">Request another token</a>\n"
@smarterclayton
Copy link
Contributor Author

Blocks client login to the api.ci.openshift.org cluster, p0

@pweil- pweil- added component/auth kind/bug Categorizes issue or PR as related to a bug. labels Aug 31, 2017
@enj enj mentioned this issue Sep 1, 2017
Merged
@enj enj mentioned this issue Sep 5, 2017
Closed
openshift-merge-robot added a commit that referenced this issue Sep 5, 2017
@openshift-merge-robot
Merge pull request #16109 from enj/enj/i/browser_client_secret/16078
3d777de 
Automatic merge from submit-queue (batch tested with PRs 16142, 16100, 16109, 16113, 16117)

Lazily initialize Osin client for token endpoint

This change makes it so that the Osin OAuth client for the token request endpoint is lazily initialized when the endpoint is called.  Initializing in this case refers to fetching the private OpenShift browser OAuth client from the API to get its secret (it is required to build the Osin client).  This behavior was lost when we moved away from using the OAuth registries.

Signed-off-by: Monis Khan <mkhan@redhat.com>

Fixes #16078

@openshift/sig-security

/assign @deads2k @liggitt

I plan to open a separate PR with something that tests this endpoint to make sure we do not regress again.  Tracked in #16146
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@enj enj

Labels
area/security component/auth kind/bug Categorizes issue or PR as related to a bug. kind/delivery-blocker priority/P0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smarterclayton @pweil- @enj