Bug 1973575

Summary: Oauth-proxy does not validate token
Product: OpenShift Container Platform Reporter: Jonas Nordell <jnordell>
Component: oauth-proxyAssignee: Standa Laznicka <slaznick>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 4.7CC: aivaraslaimikis, andbartl, aos-bugs, jswensso, mfojtik, rsandu, surbania
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-20 12:24:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Standa Laznicka 2021-06-24 11:13:17 UTC 
This has always worked like so. This BZ is therefore on the edge between a bug and an RFE. I think we might still address it somewhere in the lifecycle of 4.9.
Comment 7 Sergiusz Urbaniak 2021-08-17 09:22:22 UTC 
sprint review: due to other high priority bugs we were not able to look here further
Comment 8 Standa Laznicka 2021-08-20 12:24:30 UTC 
Hello,

I've done some digging through the oauth-proxy session handling code, which is a bit tangled. It turns out that it's not currently possible to validate the sessions as the state that is being kept does not in most cases contain the access token. Requests that follow the login with the OpenShift oauth-server no longer contain the access token that was retrieved from OpenShift and are identified solely based on the user's cookie.

In order to keep the access token on a successful login, we'd need to perform changes to how the oauth-proxy is being run by default, namely we'd have to set up a cipher for the cookie storage so that we can always store the access token within the session cookie.

I originally thought we could "just fix this" but unfortunately my expectations about the code were flawed. I'm going to have to ask you to open an RFE to validate the oauth-proxy sessions.