Hi Fabio. Which application do you use to talk with AD?
I have used Red Hat SSO (=keycloak) within openshift for that and I have described the solution here. https://www.me2digital.com/blog/2017/04/25-sso-in-openshift-with-openshift/ We just follow the docs and examples on this sites or the .com for Enterprise Users. https://docs.openshift.org/latest/install_config/configuring_authentication.html#OpenID https://github.com/openshift/openshift-ansible/blob/master/inventory/hosts.example#L263 Debugging was not that easy. We increased the master debug level to 99 in /etc/sysconfig/*master* and restarted the masters, this helps a lot. Hth Aleks Am 28.03.2018 um 11:31 schrieb Fabio Martinelli: > Thank you Larry > > I'll keep your experience as a precious reference ; I assume you're > using OpenShift -> LDAP -> AD because you don't have OpenShift -> > OpenID Connect -> AD like me > > in my IT environment all the applications use OpenID Connect to > authenticate our users and I preferably should authenticate in that > way, therefore I need to understand how to debug the OpenShift -> > OpenID Connect -> AD pipeline > > is there some tool to simulate the OpenID Connect authentication ? > Just found this [@] > > I hope somebody from Red Hat can give me some insights, maybe it's > just matter of raising some debug level. > > Thanks, > Fabio > > [@] https://github.com/curityio/example-python-openid-connect-client > > > > > > > On 28 March 2018 at 02:02, Brigman, Larry <[email protected] > <mailto:[email protected]>> wrote: > > I configure one of our clusters to use LDAP against our AD. > Here is my line from the inventory (obsucated) but handling both > local and LDAP: > openshift_master_identity_providers=[{'name': 'htpasswd_auth', > 'login': 'true', 'challenge': 'true', 'kind': > 'HTPasswdPasswordIdentityProvider', 'filename': > '/etc/origin/master/htpasswd'},{'name': 'ldap', 'challenge': > 'true', 'login': 'true', 'mappingMethod': 'claim', 'kind': > 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], > 'email': ['mail'], 'name': ['cn'], 'preferredUsername': > ['sAMAccountName']}, 'bindDN': '[email protected] > <mailto:[email protected]>', 'bindPassword': 'XXXXXXX', > 'insecure': 'true', 'url': > 'ldap://ldap.example.com:389/dc=sub,dc=example,dc=com?sAMAccountName' > <http://ldap.example.com:389/dc=sub,dc=example,dc=com?sAMAccountName%27>}] > > This is a give a good reference of how to configure/test things. > > https://github.com/redhat-cop/openshift-playbooks/blob/master/playbooks/installation/ldap_integration.adoc > > <https://github.com/redhat-cop/openshift-playbooks/blob/master/playbooks/installation/ldap_integration.adoc> > > -----Original Message----- > From: [email protected] > <mailto:[email protected]> > [mailto:[email protected] > <mailto:[email protected]>] On Behalf Of > fabio martinelli > Sent: Monday, March 26, 2018 2:26 PM > To: users <[email protected] > <mailto:[email protected]>> > Subject: How to debug the openid auth plugin ? > > Dear OpenShift Colleagues > > I can't get working the OpenID Auth plugin [$], not necessarily > because that's broken Origin side since it's involved also the AD > layer where I'm not root [%] ; furthermore I don't have very much > experience with OpenID. > > I believe I've slavishly followed the manual [$] and I've selected > as the mappingMethod the option "lookup" since I don't want any > automatic login from our AD at this stage. > > This is my failed login attempt by oc : > ################################################ > $ oc login --loglevel=10 > I0326 22:58:26.698146 38291 loader.go:357] Config loaded from > file /Users/f_martinelli/.kube/config > I0326 22:58:26.701628 38291 round_trippers.go:386] curl -k -v -XHEAD > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=m0bOfRtQnQ5QE8ntZo%2BaGSmV1OwfYrThXluGDNTenb0%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=m0bOfRtQnQ5QE8ntZo%2BaGSmV1OwfYrThXluGDNTenb0%3D&reserved=0> > I0326 22:58:26.922676 38291 round_trippers.go:405] HEAD > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=m0bOfRtQnQ5QE8ntZo%2BaGSmV1OwfYrThXluGDNTenb0%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=m0bOfRtQnQ5QE8ntZo%2BaGSmV1OwfYrThXluGDNTenb0%3D&reserved=0> > 403 Forbidden in 220 milliseconds > I0326 22:58:26.922709 38291 round_trippers.go:411] Response Headers: > I0326 22:58:26.922720 38291 round_trippers.go:414] Vary: > Accept-Encoding > I0326 22:58:26.922729 38291 round_trippers.go:414] > X-Content-Type-Options: nosniff > I0326 22:58:26.922738 38291 round_trippers.go:414] Date: > Mon, 26 Mar 2018 20:58:26 GMT > I0326 22:58:26.922747 38291 round_trippers.go:414] Content-Type: > text/plain > I0326 22:58:26.922756 38291 round_trippers.go:414] Connection: > keep-alive > I0326 22:58:26.922765 38291 round_trippers.go:414] Server: nginx > I0326 22:58:26.922774 38291 round_trippers.go:414] > Content-Length: 90 > I0326 22:58:26.922782 38291 round_trippers.go:414] > Cache-Control: no-store > I0326 22:58:26.922889 38291 round_trippers.go:386] curl -k -v > -XGET -H "X-Csrf-Token: 1" > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F.well-known%2Foauth-authorization-server&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=eM9%2Bsrj6GMSd524K6RaF7%2FqNnxsWIi6Cqr2A6O58pYM%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F.well-known%2Foauth-authorization-server&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=eM9%2Bsrj6GMSd524K6RaF7%2FqNnxsWIi6Cqr2A6O58pYM%3D&reserved=0> > I0326 22:58:26.965442 38291 round_trippers.go:405] GET > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F.well-known%2Foauth-authorization-server&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=eM9%2Bsrj6GMSd524K6RaF7%2FqNnxsWIi6Cqr2A6O58pYM%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443%2F.well-known%2Foauth-authorization-server&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=eM9%2Bsrj6GMSd524K6RaF7%2FqNnxsWIi6Cqr2A6O58pYM%3D&reserved=0> > 200 OK in 42 milliseconds > I0326 22:58:26.965686 38291 round_trippers.go:411] Response Headers: > I0326 22:58:26.966184 38291 round_trippers.go:414] Server: nginx > I0326 22:58:26.966199 38291 round_trippers.go:414] Date: > Mon, 26 Mar 2018 20:58:26 GMT > I0326 22:58:26.966210 38291 round_trippers.go:414] Content-Type: > application/json > I0326 22:58:26.966529 38291 round_trippers.go:414] Connection: > keep-alive > I0326 22:58:26.966557 38291 round_trippers.go:414] Vary: > Accept-Encoding > I0326 22:58:26.966572 38291 round_trippers.go:414] > Cache-Control: no-store > I0326 22:58:26.968573 38291 round_trippers.go:386] curl -k -v > -XGET -H "X-Csrf-Token: 1" > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0> > I0326 22:58:27.002233 38291 round_trippers.go:405] GET > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0> > 401 Unauthorized in 33 milliseconds > I0326 22:58:27.002305 38291 round_trippers.go:411] Response Headers: > I0326 22:58:27.002333 38291 round_trippers.go:414] Connection: > keep-alive > I0326 22:58:27.002343 38291 round_trippers.go:414] Www-Authenticate: > Basic realm="openshift" > I0326 22:58:27.002352 38291 round_trippers.go:414] Server: nginx > I0326 22:58:27.002361 38291 round_trippers.go:414] Date: > Mon, 26 Mar 2018 20:58:26 GMT > I0326 22:58:27.002370 38291 round_trippers.go:414] Content-Type: > text/plain; charset=utf-8 > I0326 22:58:27.002379 38291 round_trippers.go:414] > Content-Length: 0 Authentication required for > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=dwG7mvp5WfF%2BRSuOK9WAjkeDfqDBpTEd%2BuFmprBOYi8%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%3A443&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=dwG7mvp5WfF%2BRSuOK9WAjkeDfqDBpTEd%2BuFmprBOYi8%3D&reserved=0> > (openshift) > Username: MYUSERNAME > Password: MYPASSWORD > I0326 22:58:32.977080 38291 round_trippers.go:386] curl -k -v > -XGET -H "Authorization: Basic ZmFiaW8ubWFydGluZWxsaTo=" -H > "X-Csrf-Token: 1" > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0> > I0326 22:58:33.018514 38291 <tel:018514%C2%A0%C2%A0%2038291> > round_trippers.go:405] GET > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Fauthorize%3Fclient_id%3Dopenshift-challenging-client%26code_challenge%3DkJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w%26code_challenge_method%3DS256%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth%252Ftoken%252Fimplicit%26response_type%3Dcode&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=OiEF%2FOejV4j7o7B8vMcXSO3x52XrfqMEGLEgrJJywVY%3D&reserved=0> > 500 Internal Server Error in 41 milliseconds > I0326 22:58:33.018570 38291 <tel:018570%C2%A0%C2%A0%2038291> > round_trippers.go:411] Response Headers: > I0326 22:58:33.018584 38291 round_trippers.go:414] Server: nginx > I0326 22:58:33.018595 38291 round_trippers.go:414] Date: > Mon, 26 Mar 2018 20:58:32 GMT > I0326 22:58:33.018603 38291 round_trippers.go:414] Content-Type: > text/plain; charset=utf-8 > I0326 22:58:33.018611 38291 round_trippers.go:414] > Content-Length: 100 > I0326 22:58:33.018621 38291 round_trippers.go:414] Connection: > keep-alive > error: Internal error occurred: unexpected response: 500 - verify > you have provided the correct host and port and that the server is > currently running. > I0326 22:58:33.019129 38291 helpers.go:206] server response > object: [{ > "metadata": {}, > "status": "Failure", > "message": "Internal error occurred: unexpected response: 500", > "reason": "InternalError", > "details": { > "causes": [ > { > "message": "unexpected response: 500" > } > ] > }, > "code": 500 > }] > F0326 22:58:33.019164 38291 helpers.go:120] Error from server > (InternalError): Internal error occurred: unexpected response: 500 > ################################################ > > as you can see nginx is running in front of the OpenShift > WebConsole but when I use the httpasswd auth plugin this is > completely transparent. > > OpenShift side logs; AD is running on > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=nz8yplH3KC4QmHePg9WCGV0Pp3i0%2BBeHEer%2F0MahNhY%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=nz8yplH3KC4QmHePg9WCGV0Pp3i0%2BBeHEer%2F0MahNhY%3D&reserved=0> > : > ################################################ > Mar 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.505682 > 1 wrap.go:42] GET > /apis/oauth.openshift.io/v1/oauthclients/openshift-web-console > <http://oauth.openshift.io/v1/oauthclients/openshift-web-console>: > (1.873926ms) 200 [[openshift/v1.7.6+a08f5eeb62 (linux/amd64) > kubernetes/c84beff] 127.0.0.1:34518 <http://127.0.0.1:34518>] Mar > 26 22:59:14 wfpromshap22 origin-master-api: I0326 > 20:59:14.505682 1 wrap.go:42] GET > /apis/oauth.openshift.io/v1/oauthclients/openshift-web-console > <http://oauth.openshift.io/v1/oauthclients/openshift-web-console>: > (1.873926ms) 200 [[openshift/v1.7.6+a08f5eeb62 (linux/amd64) > kubernetes/c84beff] 127.0.0.1:34518 <http://127.0.0.1:34518>] Mar > 26 22:59:14 wfpromshap22 origin-master-api: I0326 > 20:59:14.506054 1 handler.go:66] Authentication needed for > &{{my_openid_connect 0xf28d5e0 {5b176f53-e0cb-410a-ad7c-5a6f60b4c38e > bsJyJ3VNfReAj7sq1L785Yh2cPcImlFcTcY18HbR [openid] map[] > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=fluqWSOb44Jizy2E4NFKjYBUy5yD9wJRP49UN%2BFNayg%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=fluqWSOb44Jizy2E4NFKjYBUy5yD9wJRP49UN%2BFNayg%3D&reserved=0> > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Ftoken&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=dLe3GkOcex9VUfGqhINLxEGZRqK3Xi1TxUQG%2FNBDy%2FQ%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Ftoken&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=dLe3GkOcex9VUfGqhINLxEGZRqK3Xi1TxUQG%2FNBDy%2FQ%3D&reserved=0> > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Fuserinfo&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=4Ao5slkTaL4zkCSLr8odjfd%2FTTCMm5P6HxOFug3HP6s%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Fuserinfo&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=4Ao5slkTaL4zkCSLr8odjfd%2FTTCMm5P6HxOFug3HP6s%3D&reserved=0> > [sub] [preferred_username] [email] [name] <nil>}} 0xc4217c20f0 > 0xc421777400 0xc4216ab950 [0xc4217c70e0 0xc4217c20f0] > [0xc4217c2090 0xc4217c20f0] 0xc42175d840} Mar 26 22:59:14 > wfpromshap22 origin-master-api: I0326 > 20:59:14.506131 1 handler.go:78] redirect to > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize%3Fclient_id%3D5b176f53-e0cb-410a-ad7c-5a6f60b4c38e%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth2callback%252Fmy_openid_connect%26response_type%3Dcode%26scope%3Dopenid%26state%3DY3NyZj1kMjIyNWJjMC0zMTBkLTExZTgtYjlhZi0wMDUwNTZhNjZmNGImdGhlbj0lMkZvYXV0aCUyRmF1dGhvcml6ZSUzRmNsaWVudF9pZCUzRG9wZW5zaGlmdC13ZWItY29uc29sZSUyNnJlc3BvbnNlX3R5cGUlM0Rjb2RlJTI2c3RhdGUlM0RleUowYUdWdUlqb2lMeUlzSW01dmJtTmxJam9pTVRVeU1qQTVOemsxTlRFek9TMHpPRFV6T1RFNU5qWXhNelU0T1RJMk9UYzVNekkyTmpJeU5UTXdOVGt4TkRJek5qazROVFkwTVRNNE5UZzVPVGM0TWpNek1qWXhNekF4TnpjeU5Ea3dOVE0xTVRFeU9EVTNNVEEwTWpjNEluMCUyNnJlZGlyZWN0X3VyaSUzRGh0dHBzJTI1M0ElMjUyRiUyNTJGaG9zdGluZy53ZnAub3JnJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%253D%253D&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=ElOhGMnnYeGcvXH8SxAZyBkS70GWXR1%2BfZHjujEbcdI%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize%3Fclient_id%3D5b176f53-e0cb-410a-ad7c-5a6f60b4c38e%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth2callback%252Fmy_openid_connect%26response_type%3Dcode%26scope%3Dopenid%26state%3DY3NyZj1kMjIyNWJjMC0zMTBkLTExZTgtYjlhZi0wMDUwNTZhNjZmNGImdGhlbj0lMkZvYXV0aCUyRmF1dGhvcml6ZSUzRmNsaWVudF9pZCUzRG9wZW5zaGlmdC13ZWItY29uc29sZSUyNnJlc3BvbnNlX3R5cGUlM0Rjb2RlJTI2c3RhdGUlM0RleUowYUdWdUlqb2lMeUlzSW01dmJtTmxJam9pTVRVeU1qQTVOemsxTlRFek9TMHpPRFV6T1RFNU5qWXhNelU0T1RJMk9UYzVNekkyTmpJeU5UTXdOVGt4TkRJek5qazROVFkwTVRNNE5UZzVPVGM0TWpNek1qWXhNekF4TnpjeU5Ea3dOVE0xTVRFeU9EVTNNVEEwTWpjNEluMCUyNnJlZGlyZWN0X3VyaSUzRGh0dHBzJTI1M0ElMjUyRiUyNTJGaG9zdGluZy53ZnAub3JnJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%253D%253D&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=ElOhGMnnYeGcvXH8SxAZyBkS70GWXR1%2BfZHjujEbcdI%3D&reserved=0> > Mar 26 22:59:14 wfpromshap22 origin-master-api: I0326 > 20:59:14.506185 1 wrap.go:42] GET > > /oauth/authorize?client_id=openshift-web-console&response_type=code&state=eyJ0aGVuIjoiLyIsIm5vbmNlIjoiMTUyMjA5Nzk1NTEzOS0zODUzOTE5NjYxMzU4OTI2OTc5MzI2NjIyNTMwNTkxNDIzNjk4NTY0MTM4NTg5OTc4MjMzMjYxMzAxNzcyNDkwNTM1MTEyODU3MTA0Mjc4In0&redirect_uri=https%3A%2F%2Fhosting.wfp.org > <http://2Fhosting.wfp.org>%2Fconsole%2Foauth: > (2.865321ms) 302 [[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 > Safari/537.36] 10.11.40.34:34290 <http://10.11.40.34:34290>] Mar > 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.506054 1 > handler.go:66] Authentication needed for &{{my_openid_connect > 0xf28d5e0 {5b176f53-e0cb-410a-ad7c-5a6f60b4c38e > bsJyJ3VNfReAj7sq1L785Yh2cPcImlFcTcY18HbR [openid] map[] > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=fluqWSOb44Jizy2E4NFKjYBUy5yD9wJRP49UN%2BFNayg%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=fluqWSOb44Jizy2E4NFKjYBUy5yD9wJRP49UN%2BFNayg%3D&reserved=0> > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Ftoken&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=dLe3GkOcex9VUfGqhINLxEGZRqK3Xi1TxUQG%2FNBDy%2FQ%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Ftoken&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=dLe3GkOcex9VUfGqhINLxEGZRqK3Xi1TxUQG%2FNBDy%2FQ%3D&reserved=0> > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Fuserinfo&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=4Ao5slkTaL4zkCSLr8odjfd%2FTTCMm5P6HxOFug3HP6s%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Fuserinfo&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=4Ao5slkTaL4zkCSLr8odjfd%2FTTCMm5P6HxOFug3HP6s%3D&reserved=0> > [sub] [preferred_username] [email] [name] <nil>}} 0xc4217c20f0 > 0xc421777400 0xc4216ab950 [0xc4217c70e0 0xc4217c20f0] > [0xc4217c2090 0xc4217c20f0] 0xc42175d840} Mar 26 22:59:14 > wfpromshap22 journal: I0326 20:59:14.506131 1 handler.go:78] > redirect to > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize%3Fclient_id%3D5b176f53-e0cb-410a-ad7c-5a6f60b4c38e%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth2callback%252Fmy_openid_connect%26response_type%3Dcode%26scope%3Dopenid%26state%3DY3NyZj1kMjIyNWJjMC0zMTBkLTExZTgtYjlhZi0wMDUwNTZhNjZmNGImdGhlbj0lMkZvYXV0aCUyRmF1dGhvcml6ZSUzRmNsaWVudF9pZCUzRG9wZW5zaGlmdC13ZWItY29uc29sZSUyNnJlc3BvbnNlX3R5cGUlM0Rjb2RlJTI2c3RhdGUlM0RleUowYUdWdUlqb2lMeUlzSW01dmJtTmxJam9pTVRVeU1qQTVOemsxTlRFek9TMHpPRFV6T1RFNU5qWXhNelU0T1RJMk9UYzVNekkyTmpJeU5UTXdOVGt4TkRJek5qazROVFkwTVRNNE5UZzVPVGM0TWpNek1qWXhNekF4TnpjeU5Ea3dOVE0xTVRFeU9EVTNNVEEwTWpjNEluMCUyNnJlZGlyZWN0X3VyaSUzRGh0dHBzJTI1M0ElMjUyRiUyNTJGaG9zdGluZy53ZnAub3JnJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%253D%253D&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=ElOhGMnnYeGcvXH8SxAZyBkS70GWXR1%2BfZHjujEbcdI%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffs.auth.wfp.org%2Fadfs%2Foauth2%2Fauthorize%3Fclient_id%3D5b176f53-e0cb-410a-ad7c-5a6f60b4c38e%26redirect_uri%3Dhttps%253A%252F%252Fhosting.wfp.org%252Foauth2callback%252Fmy_openid_connect%26response_type%3Dcode%26scope%3Dopenid%26state%3DY3NyZj1kMjIyNWJjMC0zMTBkLTExZTgtYjlhZi0wMDUwNTZhNjZmNGImdGhlbj0lMkZvYXV0aCUyRmF1dGhvcml6ZSUzRmNsaWVudF9pZCUzRG9wZW5zaGlmdC13ZWItY29uc29sZSUyNnJlc3BvbnNlX3R5cGUlM0Rjb2RlJTI2c3RhdGUlM0RleUowYUdWdUlqb2lMeUlzSW01dmJtTmxJam9pTVRVeU1qQTVOemsxTlRFek9TMHpPRFV6T1RFNU5qWXhNelU0T1RJMk9UYzVNekkyTmpJeU5UTXdOVGt4TkRJek5qazROVFkwTVRNNE5UZzVPVGM0TWpNek1qWXhNekF4TnpjeU5Ea3dOVE0xTVRFeU9EVTNNVEEwTWpjNEluMCUyNnJlZGlyZWN0X3VyaSUzRGh0dHBzJTI1M0ElMjUyRiUyNTJGaG9zdGluZy53ZnAub3JnJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%253D%253D&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=ElOhGMnnYeGcvXH8SxAZyBkS70GWXR1%2BfZHjujEbcdI%3D&reserved=0> > Mar 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.506185 > 1 wrap.go:42] GET > > /oauth/authorize?client_id=openshift-web-console&response_type=code&state=eyJ0aGVuIjoiLyIsIm5vbmNlIjoiMTUyMjA5Nzk1NTEzOS0zODUzOTE5NjYxMzU4OTI2OTc5MzI2NjIyNTMwNTkxNDIzNjk4NTY0MTM4NTg5OTc4MjMzMjYxMzAxNzcyNDkwNTM1MTEyODU3MTA0Mjc4In0&redirect_uri=https%3A%2F%2Fhosting.wfp.org > <http://2Fhosting.wfp.org>%2Fconsole%2Foauth: > (2.865321ms) 302 [[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 > Safari/537.36] 10.11.40.34:34290 <http://10.11.40.34:34290>] Mar > 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.634186 1 > handler.go:160] Got auth data Mar 26 22:59:14 wfpromshap22 > origin-master-api: I0326 > 20:59:14.634186 1 handler.go:160] Got auth data Mar 26 > 22:59:14 wfpromshap22 origin-master-api: I0326 > 20:59:14.642600 1 openid.go:216] identity=&{my_openid_connect > l8M167PMNqOtC+i49V4K5wAiVhlnNY7Tax//O0l0Bm8= map[]} > ################################################ > > please can I somehow debug step by step what Origin is doing here ? > > I've got I should get a JWT from AD during the authentication, did > I get it ? I read "Got auth data" in the logs. > > I've no access to the AD logs but I can dialog F2F with our AD Admin. > > many thanks in advance, > Fabio Martinelli > > > > > [$] > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.openshift.com%2Fcontainer-platform%2F3.7%2Finstall_config%2Fconfiguring_authentication.html%23OpenID&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=N0X%2FuG3pT5oh%2BpUC0PIzlKSJv4ZLzNAzxqwTdHpqQUs%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.openshift.com%2Fcontainer-platform%2F3.7%2Finstall_config%2Fconfiguring_authentication.html%23OpenID&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=N0X%2FuG3pT5oh%2BpUC0PIzlKSJv4ZLzNAzxqwTdHpqQUs%3D&reserved=0> > [%] > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-protocols-openid-connect-code&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=4pcHUAm2DMLCNvuCP9VgpF3H7j9udUlka0dbPqngM2o%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-protocols-openid-connect-code&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=4pcHUAm2DMLCNvuCP9VgpF3H7j9udUlka0dbPqngM2o%3D&reserved=0> > > _______________________________________________ > users mailing list > [email protected] > <mailto:[email protected]> > > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openshift.redhat.com%2Fopenshiftmm%2Flistinfo%2Fusers&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=t8RYbpHHPriIDawvbDhkwyXAQRRJ0Dvnsh5%2BjLm7%2BMY%3D&reserved=0 > > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openshift.redhat.com%2Fopenshiftmm%2Flistinfo%2Fusers&data=01%7C01%7Clarry.brigman%40arris.com%7Cbacd11c800094b91ed7808d5936047ca%7Cf27929ade5544d55837ac561519c3091%7C1&sdata=t8RYbpHHPriIDawvbDhkwyXAQRRJ0Dvnsh5%2BjLm7%2BMY%3D&reserved=0> > > > > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
