2242261 – STS/OIDC. RGW Validation of a token signature may use a wrong OIDC certificate

Bug 2242261 - STS/OIDC. RGW Validation of a token signature may use a wrong OIDC certificate

Summary: STS/OIDC. RGW Validation of a token signature may use a wrong OIDC certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	8.1
Assignee:	Pritha Srivastava
QA Contact:	Hemanth Sai
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks:	2351689
TreeView+	depends on / blocked

Reported:	2023-10-05 07:57 UTC by daniel parkes
Modified:	2025-06-26 12:10 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ceph-19.2.1-114.el9cp
Doc Type:	Bug Fix
Doc Text:	.Ceph Object Gateway no longer fails during signature validation Previously, if the JSON Web Token (JWT) was not signed using the first x5c certification for signature validation, the signature validation fails. With this fix, the correct certificate is chosen for signature validation, even if is not the first certification. As a result, the signature validation completes as expected.
Clone Of:
Environment:
Last Closed:	2025-06-26 12:10:14 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-7614	0	None	None	None	2023-10-05 07:58:02 UTC
Red Hat Product Errata	RHSA-2025:9775	0	None	None	None	2025-06-26 12:10:24 UTC

Description daniel parkes 2023-10-05 07:57:25 UTC

Description of problem:

Working with a customer we have fallen into this known issue:

https://tracker.ceph.com/issues/54562

We have been able to work around it using the RHSSO UI:

realm settings -> keys, edit the rsa-generated provider to have priority 105 rather than 100.

Not an urgent issue, but it would be great if it could get fixed at some point.

Thanks.

Comment 1 RHEL Program Management 2023-10-05 07:57:35 UTC

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 15 errata-xmlrpc 2025-06-26 12:10:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775

Note You need to log in before you can comment on or make changes to this bug.