Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1807

Quay login with SSO user was failed when OIDC provider Binding Field is None after enabled LDAP

XMLWordPrintable

    • False
    • False
    • Undefined
    • 0

      Description:

      This is an issue found when enabled LDAP and OIDC Provider with Quay config editor, after select "Binding Field" of OIDC Provider as 'None', login quay with OIDC SSO user, get error "RedhatSSO login error,Configuration error in this provider", checked Quay App Pod Logs, get following error:

      The expected behavior is if allow quay customer to choose None, then as the comments described "If none selected, a user unique to *Quay will be created on initial login with this OIDC provider. This is not the recommended setup.*"

      If the behavior is not allow to choose None in this situation, then quay config editor should not provide option 'None'

      gunicorn-web stdout | 2021-03-29 09:30:55,180 [249] [DEBUG] [endpoints.oauth.login] Got oauth bind field name of ""
gunicorn-web stdout | 2021-03-29 09:30:55,180 [249] [ERROR] [endpoints.oauth.login] Missing lookup value for OAuth login
      Quay login with OIDC SSO User

       

      Quay config editor

      Quay Version:

      oc get pod
NAME                                               READY   STATUS      RESTARTS   AGE
quay-operator.v3.5.0-7489b8c4f-r4r6j               1/1     Running     0          8h
quayregistry-clair-app-588d4884c8-q9zw6            1/1     Running     0          21m
quayregistry-clair-postgres-6d5bd88bd8-4pz9b       1/1     Running     0          6h28m
quayregistry-quay-app-6dfc49d585-hnjc6             1/1     Running     0          21m
quayregistry-quay-config-editor-76c96fc997-6649w   1/1     Running     0          21m
quayregistry-quay-database-f69444dd4-k2lhr         1/1     Running     0          6h47m
quayregistry-quay-mirror-69b75797c5-nm2vm          1/1     Running     0          20m
quayregistry-quay-postgres-init-dkhqf              0/1     Completed   0          6h47m
quayregistry-quay-redis-5f96d7dc4-k4f9x            1/1     Running     0          6h28m

oc get pod quayregistry-quay-app-6dfc49d585-hnjc6 -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/quay-rhel8@sha256:0444c7b452a14e0c87ee56f9aa72c54484333c38b0a95de9a4f11f6177273f26"

      Steps:

      1. Deploy Quay 3.5.0 Operator to all OCP namespace
      2. Deploy quay with quay 3.5 Operator with using AWS S3 as backend registry storage
      3. Open Quay config editor, and choose LDAP as internal authentication, input valid LDAP configurations
      4. Click add new OIDC Provider
      5. Upload the SSL Cert of OIDC provider
      6. Input correct configurations of OIDC provider
      7. In the OIDC Provider "Binding Field:", Choose 'None'
      8. Click Validate configurations 
      9. After validations is passed, Click reconfigure quay
      10. Login quay with OIDC SSO user

      Expected Results:

      Login quay complete successfully

      Actual Results:

      Login quay was failed with error message 'Configuration error in this provider'

        1. image-2021-03-29-18-06-33-186.png
          image-2021-03-29-18-06-33-186.png
          216 kB
        2. image-2021-03-29-18-07-50-017.png
          image-2021-03-29-18-07-50-017.png
          463 kB
        3. quay_350_app_pod.logs
          151 kB

            Unassigned Unassigned
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: