Bug 1259029 - Web GUI authentication is being invoked many times on Safari
Summary: Web GUI authentication is being invoked many times on Safari
Keywords:
Status: CLOSED DUPLICATE of bug 1493276
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-01 19:38 UTC by Ryan Howe
Modified: 2021-06-10 10:58 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-19 19:30:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ryan Howe 2015-09-01 19:38:12 UTC 
Description of problem:
 Web GUI authentication is being invoked many times on Safari with the following

"OS X wants to make changes. Type an administrator's name and password to allow this.
OS X wants to use the "System" keychain"

Even when entering in an administrator username and password it keeps prompting  for every single aspect of the site that needs loading. 


Version-Release number of selected component (if applicable):
OpenShift v3 

How reproducible:
Only with Customer. 

Steps to Reproduce:
1.Install V3 
2.Use unsigned CA certs 
3.Browse to OpenShift V3 web console 

Actual results:
Prompted over and over with: 
"OS X wants to make changes. Type an administrator's name and password to allow this.
OS X wants to use the "System" keychain"

Expected results:
Only be prompted once

Additional info:
Comment 2 Jordan Liggitt 2015-09-02 16:39:18 UTC 
Once you add the CA to the system trusted roots (see https://support.apple.com/kb/PH18677?locale=en_US), Safari should stop prompting.

Unfortunately, I don't think the default dialog Safari shows walks you through this.
Comment 3 Jordan Liggitt 2015-09-02 16:43:24 UTC 
Can you confirm that adding the CA to the system CA's corrects the issue?
Comment 4 Ryan Howe 2015-10-02 20:48:26 UTC 
Requesting this bug to be open again. 

As adding to Keychain in System it still has the same issue entering credentials over and over again.  

This may be a docs thing where we need to document how to resolve this issue with Safari. Documentation on how to use your our cert for the webconsole. 

Currently Safari always prompt saying that the "website requires a client certificate"
Comment 5 Jordan Liggitt 2015-10-02 20:55:19 UTC 
There are two issues at play, both of which are Safari bugs:

1. Safari does not prompt you to accept the server's signing cert in a permanent way, so websocket requests can fail silently, and later visits to the site sometimes prompt to re-accept an insecure connection. Adding the server's CA to the keychain should resolve that issue.

2. Safari incorrectly prompts to select a client certificate, even when it has no applicable client certificates for the server. The only workaround I'm aware of for this is to remove all client certificates from Safari (including the automatically added one for iCloud/Apple ID)
Comment 6 Ryan Howe 2015-10-06 18:48:14 UTC 
Version of OS and Browser: 

OS X 10.10.5
Safari 8.0.8
Comment 8 Ryan Howe 2017-09-19 19:30:31 UTC 

*** This bug has been marked as a duplicate of bug 1493276 ***
Note You need to log in before you can comment on or make changes to this bug.