Normal Description of problem:
Configuring Identity Provider with Google Authentication (in OCP-22289) allows other google account to authenticate even when the "hostedDomain" field is empty.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Create OAuth client ID on Google APIs (Refer to https://developers.google.com/identity/protocols/oauth2/openid-connect sections "Setting up OAuth 2.0", "Obtain OAuth 2.0 credentials". The redirect URL must be set to be https://oauth-openshift.apps.<cluster-name>.<cluster-domain>/oauth2callback/<idp-provider-name>, idp-provider-name must equal the value of .spec.identityProviders.name in later step)
2. oc create secret generic google-secret --from-literal=clientSecret={...} -n openshift-config
3. oc apply -f - <<EOF
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: googleidp
mappingMethod: lookup
type: Google
google:
clientID: {...}
clientSecret:
name: google-secret
hostedDomain: ~
EOF
4. while trying to login , using google identity provider in the openshift console it allows other google accounts to authenticate.
Actual results:
Trying to login into the openshift console using Google Identity Provider, it allows other google accounts to authenticate.
Expected results:
Trying to login into the openshift console using Google Identity Provider, it should not allow other google accounts to authenticate if the "hostedDomain" field is empty.
Additional info: