Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-1650

Some API calls are not working when keycloak-owned openshift token expires.

XMLWordPrintable

    • False
    • False
    • Undefined
    • Hide
      • Have CRW installed with OAuth enabled
      • Interact with CRW with some user.
      • Don't use CRW with that user for more than a day (default openshift token expiration time)
      • After that day, obtain keycloak token for that user: 
        $ ACCESS_TOKEN=$(curl -k --location --request POST 'https://<KEYCLOAK_ENDPOINT>/auth/realms/codeready/protocol/openid-connect/token' \                                                                                                                                         
--data-urlencode 'client_id=codeready-public' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'subject_issuer=openshift-v4' \
--data-urlencode 'subject_token=<User's openshift token>' |jq -r .access_token)
      • And using that token try to for example start workspace from devfile: 
        $ curl -k -X POST -H "Content-type: application/json" -H "Authorization: Bearer $ACCESS_TOKEN" -d '{"apiVersion":"1.0.0","metadata":{"name":"wksp-test-ZPgDE"}}' -H "Accept: application/json, */*" https://codeready-openshift-workspaces.apps.ocp47-load.crw-qe.com/api/workspace/devfile
      • Expected: Workspace is created
      • Actual: 
        {"message":"Error occurred when tried to list all available projects. Cause: Failure executing: GET at: https://172.30.0.1/apis/project.openshift.io/v1/projects?labelSelector\u003dapp.kubernetes.io%2Fpart-of%3Dche.eclipse.org%2Capp.kubernetes.io%2Fcomponent%3Dworkspaces-namespace. Message: Unauthorized! Configured service account doesn\u0027t have access. Service account may have been revoked. Unauthorized."}
      Show
      Have CRW installed with OAuth enabled Interact with CRW with some user. Don't use CRW with that user for more than a day (default openshift token expiration time) After that day, obtain keycloak token for that user: $ ACCESS_TOKEN=$(curl -k --location --request POST 'https://<KEYCLOAK_ENDPOINT>/auth/realms/codeready/protocol/openid-connect/token' \ --data-urlencode 'client_id=codeready-public' \ --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ --data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \ --data-urlencode 'subject_issuer=openshift-v4' \ --data-urlencode 'subject_token=<User's openshift token>' |jq -r .access_token) And using that token try to for example start workspace from devfile: $ curl -k -X POST -H "Content-type: application/json" -H "Authorization: Bearer $ACCESS_TOKEN" -d '{"apiVersion":"1.0.0","metadata":{"name":"wksp-test-ZPgDE"}}' -H "Accept: application/json, */*" https://codeready-openshift-workspaces.apps.ocp47-load.crw-qe.com/api/workspace/devfile Expected: Workspace is created Actual: {"message":"Error occurred when tried to list all available projects. Cause: Failure executing: GET at: https://172.30.0.1/apis/project.openshift.io/v1/projects?labelSelector\u003dapp.kubernetes.io%2Fpart-of%3Dche.eclipse.org%2Capp.kubernetes.io%2Fcomponent%3Dworkspaces-namespace. Message: Unauthorized! Configured service account doesn\u0027t have access. Service account may have been revoked. Unauthorized."}

      Some API calls are not working, when user didn't log in to CRW for longer period then the expiration period of the openshift token.

      Please see "Steps to reproduce" to see what's actually happening.
      It seems like keycloak somehow returns che the expired openshift token.

      Logging to Che using UI (browser) fixes this and user can again do API calls again (for a day).

      We took a look into keycloak database and really. Until user logs in through UI, the openshift token, that keycloak is holding is expired (`psql keycloak -c "select token from federated_identity"`). Once User logs in through UI, the token gets updated to valid one.

       

      I'm setting this issue as "Critical" as it's a relatively big obstacle for our load tests (going through UI login for every used user every day... cc. kkanova )

            skabashn Sergii Kabashniuk
            rhopp@redhat.com Radim Hopp
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: