Cannot login to OpenShift via Azure AD with multiple redirection on CLI

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Azure Red Hat OpenShift (ARO)
    • 4
  • OpenShift Managed (Azure)
    • 4
  • Azure Active Directory (AAD)

Issue

  • Azure Active Directory is used as the authentication provider in OCP or ARO cluster.
  • Authentication is successful through the OpenShift console but not through the oc CLI command.
  • Multiple redirections are involved in the authentication process when logging in via OpenShift Console. Is there any way to log in using the AAD through oc CLI (oc login command)?

Resolution

Having multiple redirections for authentication is not CLI friendly and hence would not be possible to login directly from oc CLI (oc login command). The way to use the oc login command in such cases would be to copy the command from the OpenShift console and login through the CLI using a token. To generate the command, select "Copy login command" from the username drop-down menu at the top right of the web console. Refer to Logging in to the OpenShift CLI for additional information.

As explained in Adding an identity provider to your clusters, if the OpenID Connect identity provider supports the resource owner password credentials (ROPC) grant flow, you can log in with a user name and password. You might need to take steps to enable the ROPC grant flow for your identity provider.

Root Cause

Multiple redirections are involved in the authentication process using AAD when logging in via OpenShift Console, preventing to login directly with oc login command. The process involves the following steps:

- Azure Active Directory is chosen from the OpenShift Console to authenticate.
- Gets redirected to their SSO URL, asked for the username/password.
- After putting in the username/password, the process continues to redirect to some other URI, where again the user is asked the username/password.
- The user then gets redirected to a page to puts in a one-time token which is sent to a Phone.
- Get redirected to OpenShift and able to log in.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments