Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Kubernetes] Workspace creation fails when using alternate OIDC provider #13051

Closed
johnmcollier opened this issue Apr 3, 2019 · 8 comments
Closed

[Kubernetes] Workspace creation fails when using alternate OIDC provider #13051

johnmcollier opened this issue Apr 3, 2019 · 8 comments
Labels
kind/bug Outline of a bug - must adhere to the bug report template.

Comments

@johnmcollier
Copy link
Contributor

johnmcollier commented Apr 3, 2019
edited
Loading

Description

I've set up Eclipse Che (latest) on IBM Cloud Private (ICP), using its OIDC provider instead of Keycloak. When I log in to the dashboard and go to create a Che 7 workspace, I am presented with the following error:

Error: Failed to get the workspace: "Workspace with name '//mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn' in namespace 'https' doesn't exist"

Which seems to be coming from this function: https://github.com/eclipse/che/blob/master/ide/che-ide-gwt-app/src/main/resources/org/eclipse/che/ide/public/IDE.html#L175

The URL in my browser looks like: https://che-che.<IP>.nip.io/dashboard/#/ide/https://mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn, which seems to be the issue here. Che seems to think the workspace name is mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn instead of wksp-y8yn

Note: I've redacted both <IP> and <email> here

As to where Che is getting that link from, in my OpenID configuration, it lists that link as the issuer:

issuer:  "https://mycluster.icp:9443/oidc/endpoint/OP"

And lastly, if I reload the Che dashboard, it now shows the workspace name as mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn instead of wksp-y8yn:
Screen Shot 2019-04-02 at 9 44 42 PM

Edit:
What's interesting is that if I try to create a workspace from a Devfile, it gets farther along in the creation process, failing due to a separate issue (secret <workspaceid>-che-self-signed-cert> is missing).
@johnmcollier
Copy link
Contributor Author

I've attached a screenshot with the Javascript Console output from Chrome:
Screen Shot 2019-04-02 at 9 40 48 PM

@ghost
Copy link

ghost commented Apr 3, 2019

@johnmcollier I think it is related to single host ingress strategy.

What's interesting is that if I try to create a workspace from a Devfile, it gets farther along in the creation process, failing due to a separate issue (secret -che-self-signed-cert> is missing).

That's a known issue.

@ghost ghost added the kind/bug Outline of a bug - must adhere to the bug report template. label Apr 3, 2019
@johnmcollier
Copy link
Contributor Author

johnmcollier commented Apr 3, 2019
edited
Loading

@eivantsov I'm running on multi-host strategy. I looked into it a little further, and found this line https://github.com/eclipse/che/blob/315767ea5d76703d4aeacb163bdcc3af689b71eb/multiuser/keycloak/che-multiuser-keycloak-server/src/main/java/org/eclipse/che/multiuser/keycloak/server/KeycloakEnvironmentInitalizationFilter.java#L102, which seemed to be the issue.

Che wasn't able to retrieve username, so it was using the <issuer>:<subject> instead: https://mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com, which Che was rejecting. If I changed it to just use the subject (so <email>@ibm.com), the error goes away.

username = claims.getSubject();

And thanks, #12634 is indeed the other issue I'm running into.

@tetchel
Copy link

tetchel commented Apr 3, 2019
edited
Loading

To add on to what John said above, I don't see why the issuer would be used here - it will always be an HTTPS URL (spec):

Issuer Identifier
Verifiable Identifier for an Issuer. An Issuer Identifier is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

Likely Che wants to use the tuple of [issuer, subject] to identify users uniquely in case there is a case where there are multiple issuers that have matching subjects (spec), but there has to be a better way.

@johnmcollier
Copy link
Contributor Author

johnmcollier commented Apr 3, 2019
edited
Loading

What about computing a UUID or hash (say sha256 maybe?) of <issuer>:<subject> instead if we can't retrieve the username? It would be almost certainly unique and wouldn't have the issues that something like <issuer>:<subject> would have

@mshaposhnik
Copy link
Contributor

I think we can accept this in an PR form :) @davidfestal WDYT?

@davidfestal
Copy link
Contributor

@mshaposhnik @johnmcollier I assume that might be an acceptable solution for the (somewhat strange) case when no user name can be found in any of the JWT token claims.

However, in the case the user name is still provided in your JWT tokens, did you try to use the che.keycloak.username_claim property in order to retrieve the user name from the claim that is used for it in your OIDC provider ?

Here is the definition of this property:

#     Username claim to be used as user display name
#     when parsing JWT token
#     if not defined the fallback value is 'preferred_username'
che.keycloak.username_claim=NULL

@johnmcollier
Copy link
Contributor Author

@davidfestal @mshaposhnik Sorry, meant to respond to this earlier and forgot.

Setting che.keycloak.username_claim to the sub worked for me, and a code change in Che wasn't required, so I can close this out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Outline of a bug - must adhere to the bug report template.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidfestal @mshaposhnik @johnmcollier @tetchel