Bug 1877803 - Authentication Operator does password grant flow even though discovery endpoint only supports authorization code flow
Summary: Authentication Operator does password grant flow even though discovery endpoi...
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.5
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 4.6.0
Assignee: Standa Laznicka
QA Contact: pmali
URL:
Whiteboard:
Depends On:
Blocks: 1879417
TreeView+ depends on / blocked
 
Reported: 2020-09-10 13:23 UTC by Simon Reber
Modified: 2020-09-18 16:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1879417 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift cluster-authentication-operator pull 341 None closed Bug 1877803: don't error out on non-json output of password grant attempt 2020-09-21 08:05:18 UTC

Description Simon Reber 2020-09-10 13:23:43 UTC
Description of problem:

Based on https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-oidc-identity-provider.html when using OpenID Connect identity provider we are only using Authorization Code Flow.

Based on the work in https://bugzilla.redhat.com/show_bug.cgi?id=1727983 we are now doing also password grant flow, without consulting the discovery endpoint first.

This is causing OpenID Connect to return a HTML error page as the password grant flow is not expected and thus the request is not recognized - hence triggering the HTML error being sent back.

Due to the unexpected HTML error, the authentication Operator is failing with:

"IdentityProviderConfigDegraded: failed to apply IDP FOO config: error attempting password grant flow: failed to decode response from the OIDC server: invalid character '<' looking for beginning of value"

The error handling of HTML being sent back will be addressed in https://bugzilla.redhat.com/show_bug.cgi?id=1861789.

The problem though is that we are doing password grant flow without consulting the discovery endpoint first, where it would state that password grant flow is not supported.

Since everything was working for the customer prior to OpenShift Container Platform 4.5, this is considered a regression and blocking him from moving to OpenShift Container Platform 4.4. 

To address this problem we should either validate the discovery endpoint first and only do password grant flow if that is supported or else ignore the error reported as customer is likely not supporting password grant flow and thus has no issue if the `oc` client does not have support for it.

Version-Release number of selected component (if applicable):

 - OpenShift Container Platform 4.5.7


How reproducible:

 - Always with 3rd party OpenID Solution


Steps to Reproduce:
1. Configure OpenID Connect provider as documented in https://docs.openshift.com/container-platform/4.5/authentication/identity_providers/configuring-oidc-identity-provider.html
2. Make sure password grant flow is not supported
3. Update to OpenShift 4.5

Actual results:

"IdentityProviderConfigDegraded: failed to apply IDP FOO config: error attempting password grant flow: failed to decode response from the OIDC server: invalid character '<' looking for beginning of value" and the authentication Operator won't work.

Expected results:

No error being reported as the Operator should check the support flow and only do the flow that are detected in at the discovery endpoint.

Additional info:

Comment 2 Standa Laznicka 2020-09-11 10:37:35 UTC
Not a 4.6 blocker, moving target version to 4.7. The fix should be then backported all the way to 4.5

Comment 3 Standa Laznicka 2020-09-16 09:25:57 UTC
Moving to the correct release so that the depending bugzilla PRs don't pout.


Note You need to log in before you can comment on or make changes to this bug.