Description of problem: Based on https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-oidc-identity-provider.html when using OpenID Connect identity provider we are only using Authorization Code Flow. Based on the work in https://bugzilla.redhat.com/show_bug.cgi?id=1727983 we are now doing also password grant flow, without consulting the discovery endpoint first. This is causing OpenID Connect to return a HTML error page as the password grant flow is not expected and thus the request is not recognized - hence triggering the HTML error being sent back. Due to the unexpected HTML error, the authentication Operator is failing with: "IdentityProviderConfigDegraded: failed to apply IDP FOO config: error attempting password grant flow: failed to decode response from the OIDC server: invalid character '<' looking for beginning of value" The error handling of HTML being sent back will be addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1861789. The problem though is that we are doing password grant flow without consulting the discovery endpoint first, where it would state that password grant flow is not supported. Since everything was working for the customer prior to OpenShift Container Platform 4.5, this is considered a regression and blocking him from moving to OpenShift Container Platform 4.4. To address this problem we should either validate the discovery endpoint first and only do password grant flow if that is supported or else ignore the error reported as customer is likely not supporting password grant flow and thus has no issue if the `oc` client does not have support for it. Version-Release number of selected component (if applicable): - OpenShift Container Platform 4.5.7 How reproducible: - Always with 3rd party OpenID Solution Steps to Reproduce: 1. Configure OpenID Connect provider as documented in https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-oidc-identity-provider.html 2. Make sure password grant flow is not supported 3. Update to OpenShift 4.5 Actual results: "IdentityProviderConfigDegraded: failed to apply IDP FOO config: error attempting password grant flow: failed to decode response from the OIDC server: invalid character '<' looking for beginning of value" and the authentication Operator won't work. Expected results: No error being reported as the Operator should check the support flow and only do the flow that are detected in at the discovery endpoint. Additional info:
Not a 4.6 blocker, moving target version to 4.7. The fix should be then backported all the way to 4.5
Moving to the correct release so that the depending bugzilla PRs don't pout.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196