Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32166

Microsoft v2.0 IDP fails to auth with HTTP response for HTTPS client

XMLWordPrintable

    • No
    • Hypershift Sprint 253, Hypershift Sprint 254, Hypershift Sprint 257, Hypershift Sprint 258, Hypershift Sprint 259, Hypershift Sprint 260, Hypershift Sprint 261, Hypershift Sprint 262
    • 8
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When a customer attempts to configure an AAD/Entra ID IdP using the 2.0 endpoint (https://login.microsoftonline.com/tenant_id/v2.0) the 2.0 endpoint fails to work. The customer receives an authentication error upon successful redirect from AAD/EntraID to the OAuth server.
      
      We see logs in the konnectivity pod on the apiserver with messages such as `server gave HTTP response to HTTPS client`
      
      Falling back to the 1.0 endpoint works, but breaks the group claim functionality that the customer is intending to use.
      
      This specific customer had a cluster-wide proxy set up, however it's been reported that the presence of a proxy is not necessary to reproduce this issue.
          

      Version-Release number of selected component (if applicable):

      
          

      How reproducible:

      100%
          

      Steps to Reproduce:

          1. Configure a proxy on a Hosted ControPlane
          2. Set up an AAD/Entra ID IdP pointing to the v2.0 endpoint
          3. Attempt to log in with that IdP. It should fail
          4. Configure that IdP to use the v1.0 endpoint.
          5. Attempt to log in with that IdP again. It will work.
          

      Actual results:

      
      Seeing logs within the APIServer pod of `server gave HTTP response to HTTPS client`
      
      Additionally we're seeing logs such as
      
      {
        "level": "info",
        "ts": "2024-04-04T19:35:50Z",
        "logger": "konnectivity-socks5-proxy",
        "msg": "failed to resolve address from Kubernetes service",
        "name": "graph.microsoft.com",
        "err": "services \"graph\" not found"
      }
      
          

      Expected results:

      Customers can use the v2.0 endpoint with a proxy.
          

      Additional info:

      
          

              sjenning Seth Jennings
              iamkirkbater Kirk Bater
              Deepak Punia Deepak Punia (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: