fix(auth): resolve user UID via SelfSubjectReview for external authentication#134
Merged
Merged
Conversation
Use authentication.k8s.io SelfSubjectReview as the primary method to obtain the authenticated user's Kubernetes UID when verifying requests to /exec/init and /activity/tick. Fall back to the OpenShift User API when SelfSubjectReview is unavailable, preserving compatibility with older clusters. Fixes Web Terminal failures with BYO External Authentication where user.openshift.io/v1 is not available.
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
Contributor
Author
|
/che-ai-assistant ok-pr-review |
Signed-off-by: Rohan Kumar <rohaan@redhat.com>
dkwon17
approved these changes
Jun 16, 2026
Collaborator
|
LGTM, thank you, I was able to successfully test the PR on a cluster with the default OpenShift auth provider, and also with Keycloak OIDC |
rohanKanojia
added a commit
to rohankanojia-forks/web-terminal-exec
that referenced
this pull request
Jun 25, 2026
SelfSubjectReview and the OpenShift User API return no UID for kube:admin, which is expected for the bootstrap admin. PR redhat-developer#134 rejected empty UIDs and broke web terminal auth on clusters where oc whoami is kube:admin. Restore pre-redhat-developer#134 semantics for empty UID while keeping SelfSubjectReview as the primary lookup for external authentication (WTO-399). Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Rohan Kumar <rohaan@redhat.com>
dkwon17
pushed a commit
that referenced
this pull request
Jun 25, 2026
…bootstrap user scenario (#135) * fix(auth): allow empty UID for kube:admin bootstrap user SelfSubjectReview and the OpenShift User API return no UID for kube:admin, which is expected for the bootstrap admin. PR #134 rejected empty UIDs and broke web terminal auth on clusters where oc whoami is kube:admin. Restore pre-#134 semantics for empty UID while keeping SelfSubjectReview as the primary lookup for external authentication (WTO-399). Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Rohan Kumar <rohaan@redhat.com> * fix(auth): prefer OpenShift User API for UID lookup with SSR fallback Resolve kube:admin via the OpenShift User API first, allowing empty UID for bootstrap users, and fall back to SelfSubjectReview only when the User API is unavailable while rejecting empty UIDs on that path. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Signed-off-by: Rohan Kumar <rohaan@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Use authentication.k8s.io SelfSubjectReview as the primary method to obtain the authenticated user's Kubernetes UID when verifying requests to /exec/init and /activity/tick. Fall back to the OpenShift User API when SelfSubjectReview is unavailable, preserving compatibility with older clusters.
Fixes Web Terminal failures with BYO External Authentication where user.openshift.io/v1 is not available.
Requires
authentication.k8s.io/v1selfsubjectreviewson the cluster (available on OCP 4.13+). Fallback covers older supported versions where the User API remains available.What issues does this PR fix or reference?
https://redhat.atlassian.net/browse/WTO-399
Is it tested? How?
web-terminal-execwith an image built from these changeswto-with-fix-admin-flow.mp4
wto-with-fix-regular-user-flow.mp4
With these changes:
web-terminal-operator-with-keycloak-auth.mp4
Without these changes
wto-keycloak-oidc-without-fix-bug.mp4