question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Kubernetes] Workspace creation fails when using alternate OIDC provider

See original GitHub issue

Description

I’ve set up Eclipse Che (latest) on IBM Cloud Private (ICP), using its OIDC provider instead of Keycloak. When I log in to the dashboard and go to create a Che 7 workspace, I am presented with the following error:

Error: Failed to get the workspace: "Workspace with name '//mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn' in namespace 'https' doesn't exist"

Which seems to be coming from this function: https://github.com/eclipse/che/blob/master/ide/che-ide-gwt-app/src/main/resources/org/eclipse/che/ide/public/IDE.html#L175

The URL in my browser looks like: https://che-che.<IP>.nip.io/dashboard/#/ide/https://mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn, which seems to be the issue here. Che seems to think the workspace name is mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn instead of wksp-y8yn

Note: I’ve redacted both <IP> and <email> here

As to where Che is getting that link from, in my OpenID configuration, it lists that link as the issuer:

issuer:  "https://mycluster.icp:9443/oidc/endpoint/OP"

And lastly, if I reload the Che dashboard, it now shows the workspace name as mycluster.icp:9443/oidc/endpoint/OP:<email>@ibm.com/wksp-y8yn instead of wksp-y8yn: Screen Shot 2019-04-02 at 9 44 42 PM

Edit: What’s interesting is that if I try to create a workspace from a Devfile, it gets farther along in the creation process, failing due to a separate issue (secret <workspaceid>-che-self-signed-cert> is missing).

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
johnmcolliercommented, Apr 3, 2019

What about computing a UUID or hash (say sha256 maybe?) of <issuer>:<subject> instead if we can’t retrieve the username? It would be almost certainly unique and wouldn’t have the issues that something like <issuer>:<subject> would have

0reactions
johnmcolliercommented, Apr 16, 2019

@davidfestal @mshaposhnik Sorry, meant to respond to this earlier and forgot.

Setting che.keycloak.username_claim to the sub worked for me, and a code change in Che wasn’t required, so I can close this out.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Configuring Google Workspace as an OIDC identity provider
To configure Google Workspace as an identity provider for Red Hat Advanced Cluster Security for Kubernetes, you must first configure OAuth 2.0 credentials ......
Read more >
Troubleshoot an OIDC provider and IRSA in EKS - Amazon AWS
To troubleshoot issues with the OpenID Connect (OIDC) provider and IAM roles for service accounts (IRSA) in Amazon EKS, complete the steps ...
Read more >
Chapter 5. Advanced configuration options for the CodeReady ...
The following section describes the CodeReady Workspaces server component advanced configuration method for a deployment using the Operator.
Read more >
Configure the Pinniped Supervisor as an OIDC issuer
The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting a single “upstream” identity provider to many “downstream” cluster clients.
Read more >
OpenID Connect strategy - Kiali
Assuming you already have a working Kubernetes cluster with OpenId integration (or a working alternative like kube-oidc-proxy ), you should ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found