Bug 1879417
| Summary: | Authentication Operator does password grant flow even though discovery endpoint only supports authorization code flow | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Standa Laznicka <slaznick> |
| Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> |
| Status: | CLOSED ERRATA | QA Contact: | pmali |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.5 | CC: | aos-bugs, mfojtik, pasik, pmali, slaznick, sreber |
| Target Milestone: | --- | ||
| Target Release: | 4.5.z | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
Some OIDC servers ignore "Accept: application/json" when requesting a flow that they don't support.
Consequence:
Such OIDC servers may respond with an HTML page that the authentication operator fails to parse as it's expecting json. The authentication operator failed to honor the IdP config in that case.
Fix:
Have the authentication operator ignore the error and don't allow CLI-logins for such OIDC servers.
Result:
The IdP config for all properly-working OIDC servers should now be functioning.
|
Story Points: | --- |
| Clone Of: | 1877803 | Environment: | |
| Last Closed: | 2020-10-19 14:54:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1877803 | ||
| Bug Blocks: | |||
|
Comment 5
errata-xmlrpc
2020-10-19 14:54:26 UTC
|