kiali: Fail to login with OpenID Connect as "failure when retrieving user identity"

Describe the bug Thanks for supporting “Authentication code” flow. I tried the version 1.24.0 but got a result

{
  "error":"failure when retrieving user identity",
  "detail":"request failed (HTTP response status = 401 Unauthorized)"
}

Here is my configuation

    auth:
      openid:
        authentication_timeout: 300
        authorization_endpoint: ""
        client_id: "kubernetes-xxxx"
        insecure_skip_verify_tls: false
        issuer_uri: "https://oidc.xxxxxxx.com/auth/realms/aaaaa"
        scopes:
        - openid
        - profile
        - email
        username_claim: email
      openshift:
        client_id_prefix: kiali
      #strategy: anonymous
      strategy: openid

Versions used Kiali: 1.24.0 Istio: 1.7.2 Kubernetes flavour and version: v1.18.4

To Reproduce Steps to reproduce the behavior:

Configure the auth section for openId
Click on 'Log In With OpenID ’
Authenticate with my username and password.
See error

Expected behavior Show the authenticated main page.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 2
Comments: 24 (12 by maintainers)

Most upvoted comments

The Unauthorized response may indicate that you didn’t create the openid client-secret. Please, check that you created the secret. If you installed using the operator, command should be something like:

kubectl get secret kiali -n $KIALI_INSTALL_NAMESPACE

If you get nothing, you need to create the secret as explained in OpenID set-up instructions in https://kiali.io/documentation/latest/configuration/authentication/openid/#_set_up.

If you have a secret in place, can you check that it’s correctly mounted in Kiali? Command should be similar to:

kubectl exec $KIALI_POD_NAME -n $KIALI_INSTALL_NAMESPACE -- cat /kiali-secret/oidc-secret

The output should be the openid secret in plain text.

israel-hdez on Sep 28, 2020