Bug 1744995

Summary: [4.1] Request Header Identity provider configuration is not working
Product: OpenShift Container Platform Reporter: Standa Laznicka <slaznick>
Component: apiserver-authAssignee: Stefan Schimanski <sttts>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, chuyu, gblomqui, mfojtik
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1741822 Environment:
Last Closed: 2019-09-20 12:29:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1741822    
Bug Blocks: 1739262    

Description Standa Laznicka 2019-08-23 12:54:29 UTC 
+++ This bug was initially created as a clone of Bug #1741822 +++

Description of problem:
Configuring the Request Header IdP for 4.x clusters won't work


Version-Release number of selected component (if applicable):
4.1, master


How reproducible:
100%

Steps to Reproduce:
1. generate a CA cert, sign a client cert with it (has to have clientAuth EKU)
2. configure the request header identity provider by modifying the cluster-scoped oauth/cluster object's spec field to include e.g. the following config:
```
  identityProviders:
  - name: testreqheader
    requestHeader:
      ca:
        name: my-ca-cm
      headers:
      - X-Remote-User
      loginURL: https://prdel.com/authorize?${query}
    type: RequestHeader

```
3. use the client cert/key pair to try to connect to the /oauth/token/request endpoint of the oauth server with curl specifying all that should be required:
```
$ curl -L -k -I -H "X-Remote-User: franta" --cert ~/rootCA/client.pem 'https://<OAUTH_SERVER_HOST>/oauth/token/request'
```


Actual results:
You get `401 unauthorized` response, oauth-server pod logs show

```
Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
```


Expected results:
Either 200 and a token or at least start a flow that would end by receiving a token after properly providing requested information

Additional info:
Modifying the spec of authentication.operator/cluster object with
```
  unsupportedConfigOverrides:
    servingInfo:
      clientCA: /var/config/user/idp/0/configmap/v4-0-config-user-idp-0-ca/ca.crt
```
gets us a bit further, the above curl command progresses as such:
302 (/oauth/authorize?client_id=openshift-browser-client&redirect_uri=https%3A%2F%2F<OAUTH_SERVER_HOST>%2Foauth%2Ftoken%2Fdisplay&response_type=code) -> 302 (/oauth/token/display?code=lWoRmUQmGk8BYZML8ZsluyOP512BRV466UDTQHbqKao&state=) -> 405 Method Not Allowed (since don't allow GET on /oauth/token/display anymore)

specifying -XPOST for the curl does similar
302 -> 302 -> 400 Bad Request (this is closer to what we'd expect but would need some better handling requests)

--- Additional comment from Standa Laznicka on 2019-08-16 09:55:46 CEST ---

Additional additional information:
after setting the unsupportedConfigOverrides, an identity for the user specified in the request header is getting created

--- Additional comment from Standa Laznicka on 2019-08-16 12:40:51 CEST ---



--- Additional comment from Standa Laznicka on 2019-08-16 18:04:43 CEST ---

We've found the source of the bug, I'll have a fix on Monday
Comment 4 errata-xmlrpc 2019-09-20 12:29:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2768