Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-58149

HyperShift produces an error when providing an authentication OIDC client without a client secret

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.20.0
    • 4.15, 4.16, 4.17, 4.18, 4.19
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • Proposed
    • Bug Fix
    • Hide
      Before this update, when you configured an OIDC provider for a `HostedCluster` resource with an OIDC client that did not specify a client secret, the system automatically generated a default secret name. As a consequence, you could not configure OIDC public clients, which are not supposed to use secrets. This release fixes the issue. If no client secret is provided, no default secret name is generated, enabling proper support for public clients.
      Show
      Before this update, when you configured an OIDC provider for a `HostedCluster` resource with an OIDC client that did not specify a client secret, the system automatically generated a default secret name. As a consequence, you could not configure OIDC public clients, which are not supposed to use secrets. This release fixes the issue. If no client secret is provided, no default secret name is generated, enabling proper support for public clients.
    • None
    • None
    • None
    • None

      Description of problem:

      Configuring the spec.configuration.authentication.oidcProviders[].oidcClients[] for a HostedCluster, you can optionally set a clientSecret. Setting a clientSecret indicates that's an OAuth confidential client, while not setting it indicates it's a public client.

      HyperShift HCCO would produce an error in case a client secret was not provided.

      Steps to Reproduce:

          1. Create an external auth provider with a public client

      Actual results:

          Error shown in the hcco logs: {"error":"failed to reconcile oauth client secrets: failed to get OIDCClient secret : Secret \"\" not found"}

      Expected results:

          No errors should be shown

      Additional info:

      Creating a public client by itself will still work even with the error logged in hcco as no client secret is needed for it.

However, as a side effect of this issue, creating a confidential client and a public client in the same configuration will result in the client secret of the confidential client to not be created correctly as it gets stuck on this error. This results in the confidential client not working correctly.

              rh-ee-aabdelre Ahmed Abdalla Abdelrehim
              rh-ee-aabdelre Ahmed Abdalla Abdelrehim
              None
              None
              Martin Gencur Martin Gencur
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: