Bug 1826484 - Possibility of user login failure if the list of Identity Providers cannot converge on a response within 60s.
Summary: Possibility of user login failure if the list of Identity Providers cannot co...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.0
Assignee: Venkata Siva Teja Areti
QA Contact: scheng
Depends On:
TreeView+ depends on / blocked
Reported: 2020-04-21 19:04 UTC by Venkata Siva Teja Areti
Modified: 2020-05-27 00:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-05-27 00:02:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Venkata Siva Teja Areti 2020-04-21 19:04:56 UTC
Description of problem:

This is extended version for https://bugzilla.redhat.com/show_bug.cgi?id=1814898. 

If there are multiple IDPs configured with OAuth server, to authenticate the user, IDPs are checked in the order in which they are configured. For some reason, if the time to get a response from some of these IDP together is more than 60s, user login would fail even though user can be authenticated using an IDP that comes after these faulty IDPs.

Creating a BZ to track this even though we may not be able to fix it completely.

Version-Release number of selected component (if applicable):

How reproducible:
Happened in the above referenced BZ. I think this can be reproduced reliably if there are multiple faulty IDPs.

Steps to Reproduce:
1. create IDPs that will not send a response within 60s
2. create htpasswd IDP
3. Try to login as the user.

Actual results:
User fails to login with some server error

Expected results:
User login succeeds

Additional info:

Comment 1 Venkata Siva Teja Areti 2020-05-20 12:38:19 UTC
Adding UpcomingSprint as this needs some arch discussions.

Comment 2 Michal Fojtik 2020-05-27 00:02:17 UTC
This bug hasn't had any activity 7 days after it was marked as LifecycleStale, so we are closing this bug as WONTFIX. If you consider this bug still valuable, please reopen it or create new bug.

Note You need to log in before you can comment on or make changes to this bug.