Bug 2346769

Summary: Support N+E Signature Checking in AssumeRoleWithWebIdentity
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Pritha Srivastava <prsrivas>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED ERRATA QA Contact: Anuchaithra <anrao>
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: anrao, ceph-eng-bugs, cephqe-warriors, mbenjamin, rpollack, tserlin
Target Milestone: ---   
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-3.el9cp Doc Type: Enhancement
Doc Text:
.AssumeRoleWithIdentity now supports validating JWT signatures Previously, AssumeRoleWithWebIdenity supported JSON Web Token (JWT) signature validation using only x5c. With this enhancement, AssumeRoleWithIdentity validates JWT signatures by using a JSON Web Key (JWK) with modulus and exponent (n+e). As a result, an OpenID Connect (OIDC) IdP issuing JWK with n+e can now integrate with Ceph Object Gateway.
 Story Points: ---
Clone Of:
: 2359403 (view as bug list) Environment:
Last Closed: 2025-06-26 12:26:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2359403, 2351689    

Description Pritha Srivastava 2025-02-20 06:58:40 UTC 
Description of problem:
N+E Signature Checking not supported while verifying JWT during AssumeRoleWithWebIdentity

Version-Release number of selected component (if applicable):


How reproducible:Always


Steps to Reproduce:
1.Pass a JWT in AssumeRoleWithWebIdentity with no x5c keys and with N+E keys
2.
3.

Actual results:Fails with Access Denied


Expected results:Must pass


Additional info:
Comment 7 errata-xmlrpc 2025-06-26 12:26:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775
Comment 8 Red Hat Bugzilla 2025-10-25 04:25:33 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days