Do not allow users to change username when logging for the first time

[alexeykazakov]

Is your enhancement related to a problem? Please describe.

We have a Che operator 7.14.2 installed an OCP cluster with the following configuration:

  auth:
    externalIdentityProvider: false
    openShiftoAuth: true
  server:
    customCheProperties:
      CHE_INFRA_KUBERNETES_NAMESPACE_DEFAULT: <username>-code
    allowUserDefinedWorkspaceNamespaces: false

Each user has <openshift-username>-code namespace pre-created.
When a user is trying to login into Che Dashboard the very first time Che's Keycloak shows the following form:

And now if the user edit the username and use another username (not OpenShift username) then he won't be able to start a workspace because Che tries to use not-existing namespace to create a workspace: <che-username>-code instead of `-code.

Describe the solution you'd like

Ideally, user should not be asked to re-enter username, email, names when loging to Che at all. Che just should use the user from OpenShift. Email and Name is not available in OpenShift, but why Che needs them? If it needs them for Git commits or something then it should ask it when/if actually needed. Not in advance.

But at least we should have an option to forbid users to change usernames during Che login because it breaks users.

[xcoulon]

it's even worse if the user has an autofill plugin that will tend to set the fields with real names, including spaces. This is what I did by mistake, and now I have the following error message when trying to create a workspace on Hosted Toolchain:

The workspace would be started in a namespace/project 'xavier coulon-code', which is not a valid namespace/project name.

[l0rd]

I agree on the username. email/name are a different story and can be discussed in a different issue.

[ibuziuk]

@tolusha will you be able to prioritize the issue for the upcoming sprint. This is a fairly important integration issue for Hosted Toolchain

[tolusha]

@ibuziuk
I haven't investigated yet, that's why I am not sure if something can be done on deployment level.
Is it something related to dashboard ?

Maybe @skabashnyuk knows

[tolusha]

@ibuziuk
I see. We can improve it.
I will plan for the next sprint.

[ibuziuk]

@tolusha thanks a lot this is yet another issue that is important for Hosted Toolchain, hopefully, it will be possible to have a fix for CRW 2.4

[tolusha]

I thought having editUsernameAllowed: false in che realm would solve the issue.
But it doesn't work at review profile config stage

[tolusha]

There is mixing up with usernames.
When OpenShift user is logged in the corresponding keycloak user is created. The keycloak username can be different from the OpenShift one. The problem is that we use the keycloak username instead of OpenShift username for namespace name.

[tolusha]

For keycloak user there is a provider username which is supposed to be taken instead of Keycloak username.

[ibuziuk]

@tolusha looks like the issue was moved out from the sprint, but we absolutely need a solution for it. Can we simply make the username field uneditable?

[tolusha]

@ibuziuk
I can introduce a non default theme where username will be a readonly field.
It will require configuring keycloak to select appropriate theme. Does it work for you?

[RickJWagner]

Please leave some way for the user to choose the username if needed.
Example: If OAuth is used, the user will have OpenShift username. But OpenShift allows some names that CRW does not handle well (i.e. myuser@mycompany).
In this case, it is a useful workaround to allow the user to choose a username of their choosing (one without the '@' character that CRW forbids.)
Perhaps we could just provide the default username pre-populated in the form? This will encourage users to accept this value, if they change it they should be assumed to know what they are doing. (If they break things by choosing a username that won't have a namespace, it is their own fault).

[alexeykazakov]

It's pre-populated right now. And doesn't work well. The form also requires to provide Name & email (not sure why, but it's a different issue). And it's usual for auto-fill in browser, suggest Name, email. But by using the auto-fill the username can be automatically changed too! So users don't even notice that they username is changed. We experience this issue with every other user. So it's very common.

[alexeykazakov]

Maybe this option (disable changing usernames) can be in a Che configuration option? In Hosted Toolchain we don't have the issue with invalid usernames. All openshift usernames are guaranteed to be be valid for Che.

[tolusha]

For me disabling username is kind of hack.
The long term solution should be #15323

@RickJWagner
If I introduce something then it won't be a default behavior. There won't be impact on CRW customers.

[ibuziuk]

@tolusha as a quickfix before #15323 I would propose having a username input field readonly / uneditable on the registration level. Another option would be making the username editable but have the validation in place to make it k8s DNS compatible.

[tolusha]

@ibuziuk @alexeykazakov
Keeps username field editable but adds validation:
#17780

@RickJWagner
No impact on customers since CRW uses another identity provide image.

[l0rd]

@tolusha validation is a good compromise and should be ported to CRW as well. Is there any reason why we should not port the upstream PR to the CRW identity provider image?

[alexeykazakov]

Just for clarification. In Hosted Toolchain the problem is not that users can set Che username to a not DNS complaint one. The problem is that users can set Che username which won't match the OpenShift username.
We pre-create namespaces for Che workspaces. Users don't have permissions to create namespaces. So, if some user sets the Che username to a different username then the workspace namespace won't match the pre-created one: <openshift-username>-code and Che won't work for this user at all.
All OpenShift usernames in Hosted Toolchain are DNS complaint.

[tolusha]

@alexeykazakov
I will introduce a new theme for your case..

[tolusha]

@l0rd
I don't think that we are the only one who use image registry.redhat.io/rh-sso-7/sso74-openshift-rhel8:7.4 for authentication and adding limitation might not be acceptable in general.

[l0rd]

@l0rd I don't think that we are the only one who use image registry.redhat.io/rh-sso-7/sso74-openshift-rhel8:7.4 for authentication and adding limitation might not be acceptable in general.

I don't think neither. But that doesn't justify the fact that a feature is available upstream but not downstream.

[tolusha]

@l0rd I see. I will check what we can do here.

[tolusha]

I've created issue to add changed to CRW as well.
#17827

[alexeykazakov]

That new theme will be available in Che operator 7.19, right?

[tolusha]

@alexeykazakov
yes, 7.19

[ibuziuk]

@tolusha could you please clarify how to enable the theme for making the username uneditable in 7.19.0 ?

[tolusha]

@ibuziuk
By default 7.19.0 adds check if username complies DNS naming convention.
If you would like make username uneditable then you have to login into keycloak and change login theme to che-username-readonly