Bug 1434983
Summary: | [3.4] Can't login to Jenkins application when ENABLE_OAUTH=true and RequestHeaderIdentityProvider is used | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Jordan Liggitt <jliggitt> | |
Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> | |
Status: | CLOSED ERRATA | QA Contact: | Chuan Yu <chuyu> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 3.4.0 | CC: | aos-bugs, bingli, bparees, chuyu, dakini, dmace, dyan, gmontero, ihorvath, jokerman, mkhan, mmccomas, rromerom, simon.gunzenreiner, tdawson, xtian, yasun, yufchang | |
Target Milestone: | --- | |||
Target Release: | 3.4.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1421629 | |||
: | 1439221 1439222 (view as bug list) | Environment: | ||
Last Closed: | 2017-04-19 19:42:47 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1439221, 1439222 |
Description
Jordan Liggitt
2017-03-22 20:10:21 UTC
The workaround for this issue is to make the auth proxy paths match the API server paths for these paths: These are the paths that require proxying currently: https://api.acme.com/oauth/authorize (and subpaths) https://api.acme.com/oauth/approve The auth proxy paths would be: https://auth.acme.com/oauth/authorize (and subpaths) https://auth.acme.com/oauth/approve The master-config.yaml would be: ... oauthConfig: identityProviders: - name: ... login: true ... provider: apiVersion: v1 kind: RequestHeaderIdentityProvider loginURL: "https://auth.acme.com/oauth/authorize?${query}" ... https://github.com/openshift/origin/pull/13569 will move the approval flow to /oauth/authorize/approve so there is a single root that auth proxies need to proxy. Tested in 3.4 latest puddle, the issue should be fixed, here is my steps: 1.setup openshift with saml auth mothod 2.create jenkins instance in my namespace 3.login to jenkins successfully with openshift login info. # openshift version openshift v3.4.1.16 kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 Verified, see the #c3. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0989 |