Unable to login to OpenShift Cluster using Azure AD accounts

Solution Verified - Updated -

Environment

  • Azure Red Hat OpenShift [ARO]
    • 4.x

Issue

  • When trying to login to OpenShift cluster by using Azure AD accounts, it is generated the error below:
An authentication error occurred.
  • My cluster suddenly stopped accepting new log in attempts by using Azure AD accounts, which is possible by using kubeadmin account.
  • My authentication pods are generating this event in the logs:
2022-09-11T02:00:14.708830293Z E0911 02:00:14.708732       1 errorpage.go:28] AuthenticationError: AADSTS7000222: The provided client secret keys for app '<app id>' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

  1. Get the proper credentials from the Azure console by following this procedure from Microsoft. Copy the secret that is generated as you will not see it again if lost.

  2. Update the secret in the openshift-config namespace (for more information, this article can be used). Looking at the oauths resource definition, you can find the secret assigned to the service:

    $ oc get oauths -o yaml | egrep "clientID|clientSecret" -A1
    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"config.openshift.io/v1","kind":"OAuth","metadata":{"annotations":{},"name":"cluster"},"spec":{"identityProviders":[{"mappingMethod":"claim","name":"AAD","openID":{"claims":{"email":["email"],"name":["name"],"preferredUsername":["email","upn"]},"clientID":"<clientID>","clientSecret":{"name":"<clientSecretName>"},"extraAuthorizeParameters":{"include_granted_scopes":"true"},"extraScopes":["email","profile"],"issuer":"<issuerURL>"},"type":"OpenID"}]}}
    
    --
        clientID: <clientID>
        clientSecret:
           name: <clientSecretName>
    

For more information about Azure Active Directory authentication, you can use this Microsoft document Azure Red Hat OpenShift running OpenShift 4 - Configure Azure Active Directory authentication using the Azure portal and the OpenShift web console.

Root Cause

  • The provided client secret keys for the Oauth configuration is expired.

Diagnostic Steps

  1. Verify if the authentication operator is AVAILABLE and not DEGRADED or PROGRESSING:

    $ oc get co authentication
    
  2. Check if the pods in the openshift-authentication namespace are Running with no errors:

    $ oc get pods -n openshift-authentication
    
  3. Check the logs of all pods and search for the event as provided at the Issue section:

    $ oc logs oauth-openshift-XXXXXXXXXX-XXXXX -n openshift-authentication
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments