Bug 1439221
Summary: | [3.5] Can't login to Jenkins application when ENABLE_OAUTH=true and RequestHeaderIdentityProvider is used | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Scott Dodson <sdodson> |
Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> |
Status: | CLOSED ERRATA | QA Contact: | Chuan Yu <chuyu> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.5.0 | CC: | aos-bugs, bingli, bparees, chuyu, dakini, dmace, dyan, gmontero, ihorvath, jliggitt, jokerman, mkhan, mmccomas, rromerom, simon.gunzenreiner, tdawson, trankin, xtian, yasun, yufchang |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Redirects to OAuth approval flows used absolute URLs.
Consequence:
OAuth approval flows would not work when used in combination with a RequestHeaderIdentityProvider.
Fix:
The OAuth approval endpoint was moved to be a subpath of the authorize endpoint (https://<master>/oauth/authorize/approve) and redirects were made relative.
Result:
OAuth approval flows work properly when used in combination with a RequestHeaderIdentityProvider, as long as the authenticating proxy meets the following requirements:
1. The URL that proxies to https://<master>/oauth/authorize also ends with ".../authorize" (with no trailing slash)
2. Subpaths of the URL that proxies to https://<master>/oauth/authorize are also proxied (for example, "https://<master>/oauth/authorize/approve")
|
Story Points: | --- |
Clone Of: | 1434983 | Environment: | |
Last Closed: | 2017-04-12 19:15:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1434983 | ||
Bug Blocks: |
Description
Scott Dodson
2017-04-05 12:55:26 UTC
*** Bug 1439222 has been marked as a duplicate of this bug. *** Verified with 3.5.5.2 build, here is the step: 1.setup RequestHeaderIdentityProvider and saml as the authenticate method. 2.login to openshift, create new project and new-app jenkin app. 3.lunch jenkins successfully. # openshift version openshift v3.5.5.2 kubernetes v1.5.2+43a9be4 etcd 3.1.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |