Bug 1656150 - [RFE] Multiple auth providers in one attempt for web console
Summary: [RFE] Multiple auth providers in one attempt for web console
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Erica von Buelow
QA Contact: Xiaoli Tian
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-04 20:26 UTC by Steven Walter
Modified: 2019-01-04 18:04 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-01-04 18:04:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Steven Walter 2018-12-04 20:26:00 UTC
1. Proposed title of this feature request
Query against multiple auth providers in one attempt from the web console

3. What is the nature and description of the request?
Customer notes that the CLI (oc login) doesnt query for which auth provider you want to log in with, but the web console does. The customer wants to be able to have their login attempts hit each configured auth provider at a time, until one succeeds, from the web console (rather than a selection of auth provider).

4. Why does the customer need this? (List the business requirements here)
Customer has set up auth provider for their LDAP, using both email and uid. So the user can log in with email OR uid. They want to allow the login screen to accept both without the user needing to select one. This is for user experience.

5. How would the customer like to achieve this? (List the functional requirements here)
Allow the authentication proxy to sipmle query each auth provider configured in turn until a success (or run out of auth providers)

6. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Only type in uid and password to log in, not choose a provider

7. Is there already an existing RFE upstream or in Red Hat bugzilla?

Comment 3 Mo 2019-01-04 18:04:03 UTC
This change would require a significant restructuring of how redirects and browser login is handled in the OAuth server today.  The feature is also of limited value as the use-case is very specific.

As a work around, the customer could use a proxy with the request header IDP or the remote basic auth provider that checks against both names.  They could also see if something like Keycloak can handle such a configuration as an OpenID provider.  They may also be able to use a single LDAP provider with a complex filter on the URL (though I am not sure on this one).

Note You need to log in before you can comment on or make changes to this bug.