Posted in

OpenShift – IdP GitHub OAuth Setup & Org Permissions

johngohby johngoh0

For those that wants to know how to setup GitHub as your identity provider, here’s the link to the official OpenShift 4.19 Documentation. I skipped the CA bundle. And used the OpenShift Console UI to create the Identity Provider – which works out of the box!

Problem / Issues

I had configured GitHub OAuth not long ago, but no matter how I re-did my steps on a new Cluster and a new OAuth App and a new GitHub Organization, it kept bouncing me out without telling me the specific error. Now, going back into the pod tells us exactly what’s wrong.

Initially it was due to the refresh rate of GitHub OAuth setting that kept bouncing me off with invalid redirect_uri, that was fixed after waiting couple of hours since my URL is definitely correct.

But I was getting kicked out even after the redirect_uri was resolved. So examining the pod helps,

Boom. OpenShift asked GitHub “which orgs is this user in?” and GitHub replied “none” for the token it saw. That happens when org‑membership isn’t visible to the app.

Solution

So the problem has been found, I did not grant the ‘Authorized OAuth Apps’ that OpenShift uses the permissions to read the Organization data. See image below.

Org → Settings → Third‑party access (or OAuth App access restrictions) → approve your OAuth app (the one with your clientID).

OpenShift requests read:org automatically when you configure organizations:/teams: in the OAuth CR, but your org policy may block it unless the app is approved (step #2).

  • If you used teams: ensure the value is exactly openshift-avengers/<teamname> (case‑sensitive).
  • I am using organizations: ["openshift-avengers"] – case sensitive.
Granting access rights to GitHub OAuth Application

Add User as Cluster-Admin

Feel free to add the user as a cluster-admin. The org users will have User/Developer rights by default to your cluster. Also, to add them as cluster-admin see the command below; you can find the github identity under User Management after you logged in. See image below.

oc adm policy add-cluster-role-to-user cluster-admin "github:52900463"
Look for your GitHub user account under OpenShift User Management

Validate OAuth Apps – Authorization callback URL

Also have a look at your OAuth Apps, just to be sure your settings are valid.

Homepage

https://console-openshift-console.apps.xxx.xxx.com

Redirect URI

https://oauth-openshift.apps.xxx.xxx.com/oauth2callback/github

If you are still encountering issues, let me know, post a comment below!

Leave a Reply

Your email address will not be published. Required fields are marked *