OCPBUGS-56892: Console can only show user name instead of full name as the display name

[Leo6Leo]

Closes #13744

Description

After logging in with Google OAuth OIDC, the Console can only show username instead of full name as the display name on the top right corner in the console.

Step to test out the changes

1. Have a cluster that configure the Google OIDC login. If you don't have one, you can follow the instructions I wrote in the Appendix which locates at the bottom of this PR description.

2. Choose Google-OpenID-Connect as your login option and login with your google account

3. After your success login, you will see on the right top corner is displaying your full name, instead of your email address.

Special Note

Thanks to @logonoff for the discussion on what would be the better way to resolve this issue.

Appendix: How to configure Google OAuth on your cluster for testing purpose

Prerequisites

Before you begin, you'll need:

• Administrator access to your OpenShift cluster using the oc and kubectl CLI.
• A Google Cloud project with an OAuth 2.0 Client ID and Client Secret created. If you need to create one, follow Google's official documentation.

Step 1: Create the Google Client Secret in OpenShift

First, create a k8s secret in the openshift-config namespace to securely store your Google OAuth client secret. This prevents storing sensitive values directly in the main cluster configuration.

Replace <your-google-client-secret> with the actual client secret from your Google Cloud project.

oc create secret generic google-secret \
  --from-literal=clientSecret=<your-google-client-secret> \
  -n openshift-config

Step 2: Configure the Cluster OAuth Identity Provider

Next, edit the cluster-wide OAuth configuration to add Google as an identity provider.

oc edit oauth cluster

Replace with the Client ID from your Google Cloud project.

spec:
  identityProviders:
  - name: Google                 # This is the name that will appear on the login page
    mappingMethod: claim
    type: OpenID
    openID:
      clientID: <your-google-client-id>
      clientSecret:
        name: google-secret      # The name of the secret you created in Step 1
      extraScopes:
      - email
      - profile
      issuer: https://accounts.google.com
      claims:
        preferredUsername:
        - email
        name:
        - name
        email:
        - email

Save and close the editor. Then wait until the authentication operator finish reconciling.

Step 3: Get the redirect_uri and Update Google Cloud

This is a crucial step. OpenShift generates a unique callback URL that Google needs to know about for security.

1. Open your OpenShift cluster's web console in a browser. You should now see the "Google" login option.

2. Click the Google login button. You will likely be redirected to a Google error page saying something like "Error 400: redirect_uri_mismatch". This is expected!

3. Copy the entire URL from your browser's address bar. Find the redirect_uri parameter within that URL. It will look something like this:
   https://oauth-openshift.apps../oauth2callback/Google

4. Go to your project in the Google Cloud Console.

5. Navigate to your OAuth 2.0 Client ID.

6. Under the "Authorized redirect URIs" section, click "ADD URI" and paste the full redirect_uri you copied.

7. Click Save.

8. Login with your google account again and you will see it works!

[openshift-ci-robot]

@Leo6Leo: This pull request references Jira Issue OCPBUGS-56892, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Description

After logging in with Google OAuth OIDC, the Console can only show username instead of full name as the display name on the top right corner in the console.

Step to test out the changes

1. Have a cluster that configure the Google OIDC login. If you don't have one, you can follow the instructions I wrote in the Appendix which locates at the bottom of this PR description.

2. Choose Google-OpenID-Connect as your login option and login with your google account

3. After your success login, you will see on the right top corner is displaying your full name, instead of your email address.

Special Note

Thanks to @logonoff for the discussion on what would be the better way to resolve this issue.

Appendix: How to configure Google OAuth on your cluster for testing purpose

Prerequisites

Before you begin, you'll need:

• Administrator access to your OpenShift cluster using the oc and kubectl CLI.
• A Google Cloud project with an OAuth 2.0 Client ID and Client Secret created. If you need to create one, follow Google's official documentation.

Step 1: Create the Google Client Secret in OpenShift

First, create a k8s secret in the openshift-config namespace to securely store your Google OAuth client secret. This prevents storing sensitive values directly in the main cluster configuration.

Replace <your-google-client-secret> with the actual client secret from your Google Cloud project.

oc create secret generic google-secret \
 --from-literal=clientSecret=<your-google-client-secret> \
 -n openshift-config

Step 2: Configure the Cluster OAuth Identity Provider

Next, edit the cluster-wide OAuth configuration to add Google as an identity provider.

oc edit oauth cluster

Replace with the Client ID from your Google Cloud project.

spec:
 identityProviders:
 - name: Google                 # This is the name that will appear on the login page
   mappingMethod: claim
   type: OpenID
   openID:
     clientID: <your-google-client-id>
     clientSecret:
       name: google-secret      # The name of the secret you created in Step 1
     extraScopes:
     - email
     - profile
     issuer: https://accounts.google.com
     claims:
       preferredUsername:
       - email
       name:
       - name
       email:
       - email

Save and close the editor. Then wait until the authentication operator finish reconciling.

Step 3: Get the redirect_uri and Update Google Cloud

This is a crucial step. OpenShift generates a unique callback URL that Google needs to know about for security.

1. Open your OpenShift cluster's web console in a browser. You should now see the "Google" login option.

2. Click the Google login button. You will likely be redirected to a Google error page saying something like "Error 400: redirect_uri_mismatch". This is expected!

3. Copy the entire URL from your browser's address bar. Find the redirect_uri parameter within that URL. It will look something like this:
   https://oauth-openshift.apps../oauth2callback/Google

4. Go to your project in the Google Cloud Console.

5. Navigate to your OAuth 2.0 Client ID.

6. Under the "Authorized redirect URIs" section, click "ADD URI" and paste the full redirect_uri you copied.

7. Click Save.

8. Login with your google account again and you will see it works!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Leo6Leo]

/jira refresh
/label tide/merge-method-squash

[openshift-ci-robot]

@Leo6Leo: This pull request references Jira Issue OCPBUGS-56892, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yanpzhan

In response to this:

/jira refresh
/label tide/merge-method-squash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Leo6Leo: This pull request references Jira Issue OCPBUGS-56892, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yanpzhan

In response to this:

Closes #13744

Description

After logging in with Google OAuth OIDC, the Console can only show username instead of full name as the display name on the top right corner in the console.

Step to test out the changes

1. Have a cluster that configure the Google OIDC login. If you don't have one, you can follow the instructions I wrote in the Appendix which locates at the bottom of this PR description.

2. Choose Google-OpenID-Connect as your login option and login with your google account

3. After your success login, you will see on the right top corner is displaying your full name, instead of your email address.

Special Note

Thanks to @logonoff for the discussion on what would be the better way to resolve this issue.

Appendix: How to configure Google OAuth on your cluster for testing purpose

Prerequisites

Before you begin, you'll need:

• Administrator access to your OpenShift cluster using the oc and kubectl CLI.
• A Google Cloud project with an OAuth 2.0 Client ID and Client Secret created. If you need to create one, follow Google's official documentation.

Step 1: Create the Google Client Secret in OpenShift

First, create a k8s secret in the openshift-config namespace to securely store your Google OAuth client secret. This prevents storing sensitive values directly in the main cluster configuration.

Replace <your-google-client-secret> with the actual client secret from your Google Cloud project.

oc create secret generic google-secret \
 --from-literal=clientSecret=<your-google-client-secret> \
 -n openshift-config

Step 2: Configure the Cluster OAuth Identity Provider

Next, edit the cluster-wide OAuth configuration to add Google as an identity provider.

oc edit oauth cluster

Replace with the Client ID from your Google Cloud project.

spec:
 identityProviders:
 - name: Google                 # This is the name that will appear on the login page
   mappingMethod: claim
   type: OpenID
   openID:
     clientID: <your-google-client-id>
     clientSecret:
       name: google-secret      # The name of the secret you created in Step 1
     extraScopes:
     - email
     - profile
     issuer: https://accounts.google.com
     claims:
       preferredUsername:
       - email
       name:
       - name
       email:
       - email

Save and close the editor. Then wait until the authentication operator finish reconciling.

Step 3: Get the redirect_uri and Update Google Cloud

This is a crucial step. OpenShift generates a unique callback URL that Google needs to know about for security.

1. Open your OpenShift cluster's web console in a browser. You should now see the "Google" login option.

2. Click the Google login button. You will likely be redirected to a Google error page saying something like "Error 400: redirect_uri_mismatch". This is expected!

3. Copy the entire URL from your browser's address bar. Find the redirect_uri parameter within that URL. It will look something like this:
   https://oauth-openshift.apps../oauth2callback/Google

4. Go to your project in the Google Cloud Console.

5. Navigate to your OAuth 2.0 Client ID.

6. Under the "Authorized redirect URIs" section, click "ADD URI" and paste the full redirect_uri you copied.

7. Click Save.

8. Login with your google account again and you will see it works!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Leo6Leo]

/cc @logonoff @jhadvig

[logonoff]

displayName will always return a value so i am not sure if we need the fallback values here

[logonoff]

should either add i18n or return null (to allow for fallback values to fallback)

[Leo6Leo]

/retest

[logonoff]

a comment regarding capitalization

[Leo6Leo]

/retest

[Leo6Leo]

/retest

[logonoff]

/approve

Does this work / have to work with impersonation?

/cc @TheRealJon
I think you should also take a look as you're more familiar with the redux store

[Leo6Leo]

/approve

Does this work / have to work with impersonation?

/cc @TheRealJon I think you should also take a look as you're more familiar with the redux store

I don't think this will any impact with the impersonation, since the user will still be authenticated as the user they are logged in. Impersonation will show a banner at the top of the console, and it won't change the identify of the current logged in user.

[Leo6Leo]

/retest

[logonoff]

one more spot where we can remove the use of any

[Leo6Leo]

Updated, thanks for catching that @logonoff

[logonoff]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Leo6Leo, logonoff

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• frontend/OWNERS [logonoff]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Leo6Leo]

/retest

verify by
/assign @yapei

[openshift-ci]

@Leo6Leo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	a8e3d23	link	unknown	/test okd-scos-e2e-aws-ovn
ci/prow/frontend	a8e3d23	link	unknown	/test frontend

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.