I recently deployed a version 4.5 OKD cluster and everything seems fine, but I can't get the Google identity provider to work for signing in. I followed the instructions here, but with no success. When I try to log in with my company google identity I get a very generic error message:
I ended up with the following OAuth config:
spec:
identityProviders:
- google:
clientID: <my-ID>.apps.googleusercontent.com
clientSecret:
name: google-secret
hostedDomain: <company domain>
mappingMethod: claim
name: googleidp
type: Google
I set the google project up as described too. Just created Oauth2.0 credentials, call back URL (which is correct since I get back to OKD after consent screen), no extra scopes in consent; just profile, email and openid, and OKD is not requesting any other scopes. The project is set to internal so only company users can log in.
After some investigations I managed to increase verbosity on the oauth-openshift pods and here is what is seen in the logs for a failed attempt:
1 handler.go:156] Got auth data
I0929 15:30:10.036799 1 round_trippers.go:423] curl -k -v -XPOST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" 'https://www.googleapis.com/oauth2/v3/token'
I0929 15:30:10.071829 1 round_trippers.go:443] POST https://www.googleapis.com/oauth2/v3/token 401 Unauthorized in 35 milliseconds
I0929 15:30:10.071871 1 round_trippers.go:449] Response Headers:
I0929 15:30:10.071879 1 round_trippers.go:452] Server: scaffolding on HTTPServer2
I0929 15:30:10.071885 1 round_trippers.go:452] Cache-Control: private
I0929 15:30:10.071891 1 round_trippers.go:452] X-Content-Type-Options: nosniff
I0929 15:30:10.071897 1 round_trippers.go:452] Vary: Origin
I0929 15:30:10.071902 1 round_trippers.go:452] Vary: X-Origin
I0929 15:30:10.071909 1 round_trippers.go:452] Vary: Referer
I0929 15:30:10.071915 1 round_trippers.go:452] Date: Tue, 29 Sep 2020 15:30:10 GMT
I0929 15:30:10.071920 1 round_trippers.go:452] Alt-Svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
I0929 15:30:10.071926 1 round_trippers.go:452] Content-Type: application/json; charset=utf-8
I0929 15:30:10.071934 1 round_trippers.go:452] X-Xss-Protection: 0
I0929 15:30:10.071939 1 round_trippers.go:452] X-Frame-Options: SAMEORIGIN
I0929 15:30:10.072004 1 handler.go:176] Error getting access token: Unauthorized
E0929 15:30:10.072031 1 errorpage.go:26] AuthenticationError: Unauthorized
I0929 15:30:10.072428 1 httplog.go:90] verb="GET" URI="/oauth2callback/googleidp?state=**token**&code=**token**&scope=email%20profile%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile&authuser=0&hd=**companydomain**&prompt=consent" latency=35.835162ms resp=200 UserAgent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" srcIP="10.129.2.28:49228":
I can't find a reason for the Unauthorized error so any help is much appreciated.
Doing the exact same things in Google cloud console instead of the developer console made this finally work. So no issue in OKD platform.
https://console.developers.google.com
vs
https://console.cloud.google.com
When creating projects in developer console some settings are left out. I found that I had to add the Google Cloud APIs in the first project but that was not enough to make it work so I will just use the new project as I don't have more time to invest in this.