Bug 2242261

Summary: STS/OIDC. RGW Validation of a token signature may use a wrong OIDC certificate
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: daniel parkes <dparkes>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: VERIFIED --- QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 7.1CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, prsrivas, rpollack, tserlin, vereddy, vimishra
Target Milestone: ---   
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-114.el9cp Doc Type: Bug Fix
Doc Text:
.Ceph Object Gateway no longer fails during signature validation Previously, if the JSON Web Token (JWT) was not signed using the first x5c certification for signature validation, the signature validation fails. With this fix, the correct certificate is chosen for signature validation, even if is not the first certification. As a result, the signature validation completes as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2351689    

Description daniel parkes 2023-10-05 07:57:25 UTC 
Description of problem:

Working with a customer we have fallen into this known issue:

https://tracker.ceph.com/issues/54562

We have been able to work around it using the RHSSO UI:

realm settings -> keys, edit the rsa-generated provider to have priority 105 rather than 100.

Not an urgent issue, but it would be great if it could get fixed at some point.

Thanks.
Comment 1 RHEL Program Management 2023-10-05 07:57:35 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.