Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1730609 - [DOCS] Request Header based authentication will not work without mutual TLS in OpenShift 4.x
Summary: [DOCS] Request Header based authentication will not work without mutual TLS i...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.z
Assignee: Andrea Hoffer
QA Contact: Chuan Yu
Vikram Goyal
URL:
Whiteboard:
: 1730080 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-17 08:01 UTC by Khizer Naeem
Modified: 2019-08-05 13:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-05 13:14:05 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Khizer Naeem 2019-07-17 08:01:42 UTC
Document URL:

    https://docs.openshift.com/container-platform/4.1/authentication/identity_providers/configuring-request-header-identity-provider.html#configuring-request-header-identity-provider

Section Number and Name:

    "About request header authentication"

Describe the issue / Suggestions for improvement:  

    When using "Request Header" authentication provider in Openshift 4.x mutual TLS (mTLS)
    is required between the authentication proxy and Openshift's oauth server.
    This requirement was not enforced in OpenShift 3.x.
    If someone had setup Request Header without mTLS in OpenShift 3.x it will not work when
    they move to OpenShift 4.x. This needs to be clearly stated in the documentation.


Additional information: 

    Although the document does say:

    """If you expect unauthenticated requests to reach the OAuth server, a clientCA parameter
    MUST be set for this identity provider, so that incoming requests are checked for a valid
    client certificate before the request’s headers are checked for a user name. Otherwise,
    any direct request to the OAuth server can impersonate any identity from this provider,
    merely by setting a request header."""

    However its the same in OpenShift 3.x and 4.x. Anyone moving from 3.x to 4.x will have no
    clue from the documentation that anything has changed.
    We need clearly mention that this rule is now enforced and that Request Header based
    authentication will not work without mTLS.

Comment 2 Eric Rich 2019-07-17 14:05:03 UTC
*** Bug 1730080 has been marked as a duplicate of this bug. ***

Comment 4 Andrea Hoffer 2019-07-23 16:38:58 UTC
Submitted PR: https://github.com/openshift/openshift-docs/pull/15997

Comment 6 Chuan Yu 2019-08-01 01:29:31 UTC
The changes lgtm.

Comment 7 Andrea Hoffer 2019-08-01 18:47:43 UTC
PR has been merged. Moving to RELEASE_PENDING.


Note You need to log in before you can comment on or make changes to this bug.