Bug 1877803 - Authentication Operator does password grant flow even though discovery endpoint only supports authorization code flow
Summary: Authentication Operator does password grant flow even though discovery endpoi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.5
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 4.6.0
Assignee: Standa Laznicka
QA Contact: pmali
URL:
Whiteboard:
Depends On:
Blocks: 1879417
TreeView+ depends on / blocked
 
Reported: 2020-09-10 13:23 UTC by Simon Reber
Modified: 2023-12-15 19:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Some OIDC servers ignore "Accept: application/json" when requesting a flow that they don't support. Consequence: Such OIDC servers may respond with an HTML page that the authentication operator fails to parse as it's expecting json. The authentication operator failed to honor the IdP config in that case. Fix: Have the authentication operator ignore the error and don't allow CLI-logins for such OIDC servers. Result: The IdP config for all properly-working OIDC servers should now be functioning.
Clone Of:
: 1879417 (view as bug list)
Environment:
Last Closed: 2020-10-27 16:39:36 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 341 0 None closed Bug 1877803: don't error out on non-json output of password grant attempt 2020-12-09 01:38:33 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:39:52 UTC

Description Simon Reber 2020-09-10 13:23:43 UTC
Description of problem:

Based on https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-oidc-identity-provider.html when using OpenID Connect identity provider we are only using Authorization Code Flow.

Based on the work in https://bugzilla.redhat.com/show_bug.cgi?id=1727983 we are now doing also password grant flow, without consulting the discovery endpoint first.

This is causing OpenID Connect to return a HTML error page as the password grant flow is not expected and thus the request is not recognized - hence triggering the HTML error being sent back.

Due to the unexpected HTML error, the authentication Operator is failing with:

"IdentityProviderConfigDegraded: failed to apply IDP FOO config: error attempting password grant flow: failed to decode response from the OIDC server: invalid character '<' looking for beginning of value"

The error handling of HTML being sent back will be addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1861789.

The problem though is that we are doing password grant flow without consulting the discovery endpoint first, where it would state that password grant flow is not supported.

Since everything was working for the customer prior to OpenShift Container Platform 4.5, this is considered a regression and blocking him from moving to OpenShift Container Platform 4.4. 

To address this problem we should either validate the discovery endpoint first and only do password grant flow if that is supported or else ignore the error reported as customer is likely not supporting password grant flow and thus has no issue if the `oc` client does not have support for it.

Version-Release number of selected component (if applicable):

 - OpenShift Container Platform 4.5.7


How reproducible:

 - Always with 3rd party OpenID Solution


Steps to Reproduce:
1. Configure OpenID Connect provider as documented in https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-oidc-identity-provider.html
2. Make sure password grant flow is not supported
3. Update to OpenShift 4.5

Actual results:

"IdentityProviderConfigDegraded: failed to apply IDP FOO config: error attempting password grant flow: failed to decode response from the OIDC server: invalid character '<' looking for beginning of value" and the authentication Operator won't work.

Expected results:

No error being reported as the Operator should check the support flow and only do the flow that are detected in at the discovery endpoint.

Additional info:

Comment 2 Standa Laznicka 2020-09-11 10:37:35 UTC
Not a 4.6 blocker, moving target version to 4.7. The fix should be then backported all the way to 4.5

Comment 3 Standa Laznicka 2020-09-16 09:25:57 UTC
Moving to the correct release so that the depending bugzilla PRs don't pout.

Comment 8 errata-xmlrpc 2020-10-27 16:39:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.