failed to unlock correct collection error on 1.32.1

[jdudley-evroc]

Describe the issue

When using kubelogin 1.32.1 with Keycloak, Kubectl commands fail with the following error message:

ubuntu@jdudley:~/monorepo/deployment/kubespray$ kubectl version
Please visit the following URL in your browser: http://localhost:8000
error: get-token: could not write the token cache: keyring write kubelogin/tokencache/29e99118b938ba4ac8471f5e0857485037307f1cfb7f0d69d5f67ff8b0104312: failed to unlock correct collection '/org/freedesktop/secrets/aliases/default'
Client Version: v1.31.5
Kustomize Version: v5.4.2
Unable to connect to the server: getting credentials: exec: executable kubectl failed with exit code 1

Downgrading to kubelogin 1.28.0 fixes this issue (other versions not tried).

Kube config

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://READACTED:6443
  name: local-management
- cluster:
    insecure-skip-tls-verify: true
    server: https://READACTED:6443
  name: local-observability
- cluster:
    insecure-skip-tls-verify: true
    server: https://READACTED:6443
  name: local-storage
- cluster:
    insecure-skip-tls-verify: true
    server: https://READACTED:6443
  name: local-workload
contexts:
- context:
    cluster: local-management
    namespace: kube-system
    user: local-management
  name: local-management
- context:
    cluster: local-observability
    namespace: kube-system
    user: local-observability
  name: local-observability
- context:
    cluster: local-storage
    namespace: kube-system
    user: local-storage
  name: local-storage
- context:
    cluster: local-workload
    namespace: kube-system
    user: local-workload
  name: local-workload
current-context: local-management
kind: Config
preferences: {}
users:
- name: local-management
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://READACTED/realms/READACTED
      - --oidc-client-id=kubernetes
      - --skip-open-browser
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false
- name: local-observability
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://READACTED/realms/READACTED
      - --oidc-client-id=kubernetes
      - --skip-open-browser
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false
- name: local-storage
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://READACTED/realms/READACTED
      - --oidc-client-id=kubernetes
      - --skip-open-browser
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false
- name: local-workload
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://READACTED/realms/READACTED
      - --oidc-client-id=kubernetes
      - --skip-open-browser
      command: kubectl
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false

Your environment

• OS: Ubuntu 22.04.4 LTS
• kubelogin version: 1.32.1
• kubectl version: 1.31.5
• OpenID Connect provider: Keycloak

[lpaturel]

I've experienced the exact same behaviour when trying to log in to clusters.
OS: Ubuntu 24.04.1 LTS (with WSL)
oidc-login: 1.32.1
kubectl: 1.32.1
OIDC: Keycloak 25

I've tried downgrading to several earlier versions and it seems to work up to 1.32.0. (I tested 1.28.2, 1.30.1 and 1.31.1)

UPDATE 31/01/2025 - new release 1.32.2 seems to correct the issue

[kostis-codefresh]

I had same issue with Ubuntu and WSL

Downgraded to kubectl login 1.32.0 and now it works ok. Thanks @lpaturel