Critical Description:
This is an issue found in Quay 3.16.1, the authentication.confirm_existing_user is asking for a password even though the user has logged in with OIDC.
@resource("/v1/signin/verify") @internal_only class VerifyUser(ApiResource): """ Operations for verifying the existing user. """ schemas = { "VerifyUser": { "id": "VerifyUser", "type": "object", "description": "Information required to verify the signed in user.", "required": [ "password", ], "properties": { "password": { "type": "string", "description": "The user's password", }, }, }, } @require_user_admin() @nickname("verifyUser") @validate_json_request("VerifyUser") @readonly_call_allowed @restricted_user_readonly_call_allowed def post(self): """ Verifies the signed in the user with the specified credentials. """ signin_data = request.get_json() password = signin_data["password"] username = get_authenticated_user().username (result, error_message) = authentication.confirm_existing_user(username, password) if not result: return { "message": error_message, "invalidCredentials": True, }, 403 success, headers = common_login(result.uuid) if not success: return { "message": "Could not verify user.", }, 403 return {"success": True}, 200, headers
The UI prompting for a local password is consistent with the endpoint’s contract. Quay’s auth layer describes confirm_existing_user as verifying a password for an existing DB user (and it may translate the DB user via a federated login mapping first), which still results in a password verification call, not an IdP step-up or refresh.
IdP user might not be in the userDB si prompting for local password is not working for them.
Expected behavior:
Quay UI verifies the token with IdP and step-up or refreshes it, no prompt for user
Current behavior:
Quay UI is prompting for a password which cannot be verified as the user does not have a password in user database.
