Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.14.z
-
No
-
Hypershift Sprint 253
-
1
-
False
-
Description
Description of problem:
When a customer attempts to configure an AAD/Entra ID IdP using the 2.0 endpoint (https://login.microsoftonline.com/tenant_id/v2.0) the 2.0 endpoint fails to work. The customer receives an authentication error upon successful redirect from AAD/EntraID to the OAuth server.
We see logs in the konnectivity pod on the apiserver with messages such as `server gave HTTP response to HTTPS client`
Falling back to the 1.0 endpoint works, but breaks the group claim functionality that the customer is intending to use.
This specific customer had a cluster-wide proxy set up, however it's been reported that the presence of a proxy is not necessary to reproduce this issue.
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. Configure a proxy on a Hosted ControPlane
2. Set up an AAD/Entra ID IdP pointing to the v2.0 endpoint
3. Attempt to log in with that IdP. It should fail
4. Configure that IdP to use the v1.0 endpoint.
5. Attempt to log in with that IdP again. It will work.
Actual results:
Seeing logs within the APIServer pod of `server gave HTTP response to HTTPS client`
Additionally we're seeing logs such as
{
"level": "info",
"ts": "2024-04-04T19:35:50Z",
"logger": "konnectivity-socks5-proxy",
"msg": "failed to resolve address from Kubernetes service",
"name": "graph.microsoft.com",
"err": "services \"graph\" not found"
}
Expected results:
Customers can use the v2.0 endpoint with a proxy.
Additional info:
