Bug 2242261 - STS/OIDC. RGW Validation of a token signature may use a wrong OIDC certificate
Summary: STS/OIDC. RGW Validation of a token signature may use a wrong OIDC certificate
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 8.1
Assignee: Pritha Srivastava
QA Contact: Hemanth Sai
Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks: 2351689
TreeView+ depends on / blocked
 
Reported: 2023-10-05 07:57 UTC by daniel parkes
Modified: 2025-05-29 07:22 UTC (History)
8 users (show)

Fixed In Version: ceph-19.2.1-114.el9cp
Doc Type: Bug Fix
Doc Text:
.Ceph Object Gateway no longer fails during signature validation Previously, if the JSON Web Token (JWT) was not signed using the first x5c certification for signature validation, the signature validation fails. With this fix, the correct certificate is chosen for signature validation, even if is not the first certification. As a result, the signature validation completes as expected.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-7614 0 None None None 2023-10-05 07:58:02 UTC

Description daniel parkes 2023-10-05 07:57:25 UTC 
Description of problem:

Working with a customer we have fallen into this known issue:

https://tracker.ceph.com/issues/54562

We have been able to work around it using the RHSSO UI:

realm settings -> keys, edit the rsa-generated provider to have priority 105 rather than 100.

Not an urgent issue, but it would be great if it could get fixed at some point.

Thanks.
Comment 1 RHEL Program Management 2023-10-05 07:57:35 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Note You need to log in before you can comment on or make changes to this bug.