Openshift OAuth not working with Cloud Ready workspaces on a 4.1 cluster

[jomcdona]

When having cloud ready workspaces set up on an OpenShift 4.1 cluster the OpenShift OAuth login with Code Ready Workspaces does not work and provides a "Were Sorry Unexpected error when handling authentication request to identity provider message" The log stream in the codeready workspaces pod is showing a warning message of

"2019-11-13 21:36:55,904[75f-cp6fm-48701] [WARN ] [unknown.jul.logger 49] - Problem getting Pod json from Kubernetes Client[masterUrl=https://172.30.0.1:443/api/v1, headers={}, connectTimeout=5000, readTimeout=30000, operationAttempts=3, operationSleep=1000, streamProvider=org.openshift.ping.common.stream.TokenStreamProvider@dff9cfb] for cluster [EclipseLinkCommandChannel], namespace [lab-infra], labels [app=che]; encountered [java.lang.Exception: 3 attempt(s) with a 1000ms sleep to execute [OpenStream] failed. Last failure was [javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]"

But am not sure if it is related to the OAuth authentication attempt though. Please reach me at [email protected] if this is able to be resolved.

[deanpeterson]

I bet I know who opened this. Did you ever find out how to resolve this? It's still a thing in OCP 4.4

[shhull]

Hello, I hit the same problem on OCP 4.7.7 and OCP 4.8.2.

After the code ready workspace was ready on OCP cluster, I login the CRW with OAUTH account, then I got this error screen shot.

[shhull]

I got below oauth error in pod keycloak-7845cd766b-mtk8z.

[0m�[31m09:06:54,591 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1356)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)

[shhull]

I think I know the answer. 1) CRW operator has one issue on OCP477, the openshift oauth-secret does not automatic create under openshift-config namespace, so that all user can not login CRW console. 2) Tried same steps on OCP482, the oauth secret was created and I can use this user login CRW successfully, IDE can launch correctly.

[jgammon612]

hey guys -- i am hitting this exact issue on 4.8.11 on azure -- can you describe the steps you did to fix? CRW is created in openshift-workspaces namespace (using operator 2.11) [email protected]