Skip to content

fix(auth): resolve user UID via SelfSubjectReview for external authentication#134

Merged
dkwon17 merged 3 commits into
redhat-developer:mainfrom
rohankanojia-forks:pr/wto-399
Jun 16, 2026
Merged

fix(auth): resolve user UID via SelfSubjectReview for external authentication#134
dkwon17 merged 3 commits into
redhat-developer:mainfrom
rohankanojia-forks:pr/wto-399

Conversation

@rohanKanojia

@rohanKanojia rohanKanojia commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Use authentication.k8s.io SelfSubjectReview as the primary method to obtain the authenticated user's Kubernetes UID when verifying requests to /exec/init and /activity/tick. Fall back to the OpenShift User API when SelfSubjectReview is unavailable, preserving compatibility with older clusters.

Fixes Web Terminal failures with BYO External Authentication where user.openshift.io/v1 is not available.

Requires authentication.k8s.io/v1 selfsubjectreviews on the cluster (available on OCP 4.13+). Fallback covers older supported versions where the User API remains available.

What issues does this PR fix or reference?

https://redhat.atlassian.net/browse/WTO-399

Is it tested? How?

  • Create OpenShift Cluster
  • Install keycloak and Set up authentication to use keycloak using this guide https://github.com/rohankanojia-demos/setup-keycloak-oidc-on-crc-guide
  • Once cluster setup to use keycloak for authentication, login into cluster
  • Open Web Terminal Icon and wait for terminal to start
  • You'll see the error
  • Patch the DevWorkspaceTemplate web-terminal-exec with an image built from these changes
oc patch devworkspacetemplate web-terminal-exec -n "${NS:-openshift-operators}" --type='json' \  
  -p='[{"op":"replace","path":"/spec/components/0/container/image","value":"docker.io/rohankanojia/web-terminal-exec:wto-399"}]'
  • Delete DevWorkspace for web terminal and click on the web terminal icon again
  • Terminal should appear correctly now
  • Test pre-release-testing WTO user flow as
    • cluster admin user
wto-with-fix-admin-flow.mp4
  • regular user
wto-with-fix-regular-user-flow.mp4

With these changes:

web-terminal-operator-with-keycloak-auth.mp4

Without these changes

wto-keycloak-oidc-without-fix-bug.mp4

Use authentication.k8s.io SelfSubjectReview as the primary method to
obtain the authenticated user's Kubernetes UID when verifying requests
to /exec/init and /activity/tick. Fall back to the OpenShift User API
when SelfSubjectReview is unavailable, preserving compatibility with
older clusters.

Fixes Web Terminal failures with BYO External Authentication where
user.openshift.io/v1 is not available.
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
@rohanKanojia rohanKanojia marked this pull request as ready for review June 4, 2026 11:54
@rohanKanojia

Copy link
Copy Markdown
Contributor Author

/che-ai-assistant ok-pr-review

Signed-off-by: Rohan Kumar <rohaan@redhat.com>
@dkwon17

dkwon17 commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

LGTM, thank you, I was able to successfully test the PR on a cluster with the default OpenShift auth provider, and also with Keycloak OIDC

@dkwon17 dkwon17 merged commit a0a6118 into redhat-developer:main Jun 16, 2026
3 checks passed
@rohanKanojia rohanKanojia deleted the pr/wto-399 branch June 17, 2026 03:55
rohanKanojia added a commit to rohankanojia-forks/web-terminal-exec that referenced this pull request Jun 25, 2026
SelfSubjectReview and the OpenShift User API return no UID for kube:admin,
which is expected for the bootstrap admin. PR redhat-developer#134 rejected empty UIDs and
broke web terminal auth on clusters where oc whoami is kube:admin.

Restore pre-redhat-developer#134 semantics for empty UID while keeping SelfSubjectReview as
the primary lookup for external authentication (WTO-399).

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
dkwon17 pushed a commit that referenced this pull request Jun 25, 2026
…bootstrap user scenario (#135)

* fix(auth): allow empty UID for kube:admin bootstrap user

SelfSubjectReview and the OpenShift User API return no UID for kube:admin,
which is expected for the bootstrap admin. PR #134 rejected empty UIDs and
broke web terminal auth on clusters where oc whoami is kube:admin.

Restore pre-#134 semantics for empty UID while keeping SelfSubjectReview as
the primary lookup for external authentication (WTO-399).

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Rohan Kumar <rohaan@redhat.com>

* fix(auth): prefer OpenShift User API for UID lookup with SSR fallback

Resolve kube:admin via the OpenShift User API first, allowing empty UID
for bootstrap users, and fall back to SelfSubjectReview only when the User
API is unavailable while rejecting empty UIDs on that path.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Signed-off-by: Rohan Kumar <rohaan@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants