Comments (12)
@d-ramakri @jschuler OK, I have opened a PR with a path BUT, if @alechenninger says we should use the CLI auth then I would strongly recommend doing so and deprecating the doOffline
and getOfflineToken
functions. And eventually getting rid of them.
I assume that somewhere in your UI/QuickStart there is a guide involving getting the token and then pasting a command including the token somewhere in the user's terminal right? Is it possible to change the guides to include the CLIT auth?
from insights-chrome.
Hey folks, there is some confusion here. That is not all the requests being made to SSO.
In your token request, the redirect URI has to be exactly the same as the redirect URI in the auth request: https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
In a test I observed:
Auth request redirect URI | Token request redirect URI |
---|---|
https://console.redhat.com/openshift/token/show?test=true&noauth=2402500adeacc30eb5c5a8a5e2e0ec1f | https://console.redhat.com/openshift/token/show?noauth=2402500adeacc30eb5c5a8a5e2e0ec1f |
SSO is working as intended since these are not the same. However, still, no query variable query parameters should be used in redirect URIs, so ideally none of these are used and any variable information is passed and decoded from the state
parameter maintained in the redirect.
Lastly, the whole process of getting an offline token so it can be pasted into a CLI is unnecessary and insecure. The CLI can and should authenticate the user directly such as by using the auth code flow and redirecting to a loopback address or by using the device authorization flow. I'm happy to discuss about this in more detail if you'd like outside of this issue.
Edit: To summarize:
- You can fix this quickly by simply using the same redirect URI in both auth and token requests
- Better would be to avoid passing query parameters at all, and use the state parameter instead
- Way better than either of those would be to not even get another token, and let the CLI do that itself
from insights-chrome.
Thanks @Hyperkid123 ! And yes I agree it would be wonderful to get rid of the clunky copying of token into the CLI step altogether, that would be preferable. I hope we can go down that path, but in the meantime thank you for the fix!
from insights-chrome.
Well, I think might be an SSO issue.
We are sending a noauth
query param with a hash. I just think the SSO does not expect any other query parameters so it just simply does not accept the redirect link with additional query parameters. It does not even accept hash in the redirectUri
param.
@ryelo can we talk to SSO dev team about why not parameters are permitted?
from insights-chrome.
Yep I can send them a message to ask why we can't add additional params. My assumption is that we could, but we just have to put a blob in their config to allow it.
from insights-chrome.
@Hyperkid123 @ryelo This issue is making development on the ROSA wizard more difficult - wondering where the conversation with the SSO team is at.
from insights-chrome.
This will also have an impact on other things that add URL params, like quick starts
from insights-chrome.
Can someone paste the exact request that is being made to SSO?
Is the additional query parameter a part of the redirect URI? If so, this is not allowed, per https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
To send variable state along with a redirect, you must use the state
parameter.
from insights-chrome.
Here's an example of what I am observing at the moment:
- Navigate to
https://console.redhat.com/openshift/token/show?test=true
- I see in the Network log:
Request URL: https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
Request Method: POST
Status Code: 400
Payload:
code: 93ee20be-e714-46cc-93b1-d9b18362c6ad.1afcace9-6923-474b-8a2a-8f384876191f.78d5cce2-4b4b-419e-9007-28deefc1edaf
grant_type: authorization_code
client_id: cloud-services
redirect_uri: https://console.redhat.com/openshift/token/show?noauth=2402500adeacc30eb5c5a8a5e2e0ec1f
Response:
{"error":"invalid_grant","error_description":"Incorrect redirect_uri"}
from insights-chrome.
as @alechenninger we will probably have to move the quickstart to the #state
hash in the URL to get around the error. Essentially that will force use to sanitize the URL and the append the quickstart query param back once we are authenticated
from insights-chrome.
This is not just quick starts btw, this affects also the day 1 experience for new RH customers creating ROSA clusters.
They have to accept Terms and Conditions, which appends URL parameters as well. When they then try to get the token it fails.
URL looks something like this after they accepted the terms:
https://console.redhat.com/openshift/create/rosa/wizard?decision-1524=accepted&ackID=6071004376#
from insights-chrome.
How involved / complicated is the change @alechenninger @ryelo and who would do it? Sorry to pull the 'urgent' card - this issue is directly linked to a high priority / high visibility complaint from customers on the ROSA day 1 wizard for OCM HAC-1525
from insights-chrome.
Related Issues (20)
- Login page does not load on ci-beta HOT 3
- Minified react error at /beta/security/insights HOT 1
- Product Docs, infinite load of chrome and component HOT 4
- AsyncComponent usage example
- Page drawer implementation enhancement HOT 3
- A11y errors caused by incorrect landmark elements in page structure HOT 1
- Help and Settings menus do not have discernible text for screen readers
- getToken() returns empty tokens HOT 8
- The chrome.auth.getToken() should wait for the jwt initPromise like the getUser() HOT 10
- Page breaks when clicking manifests link on side nav after manifests page has loaded HOT 2
- keyboard accessibility: Tab iterates over part of left navigation even when hidden HOT 3
- Question: what's the suggested strategy to deal with @patternfly versions? HOT 4
- Create test script for build vs regular one HOT 1
- Analytics: isProd check includes local dev env URL HOT 6
- build fails on Fedora 36 with ERR_OSSL_EVP_UNSUPPORTED HOT 2
- setPageMetadata metadata on first page load HOT 5
- Kiota headers get garbled HOT 2
- RTK Query mutation/POST request headers are missing HOT 3
- Getting a 403 on https://console.redhat.com/openshift/overview/rosa/hands-on/ HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from insights-chrome.