-
Bug
-
Resolution: Done
-
Major
-
quay-v3.11.0
-
False
-
None
-
False
-
-
-
0
Description:
This is an issue found in Quay 3.11 , when configured Quay to use OIDC authentication, on the Quay Console login page, Quay should only allow login Quay with OIDC authentication, but quay allow users to input username/password to login Quay, after input username/password, hit Quay 500 error page.
Login Quay hit 500 error page:
Quay: quay-operator-bundle-container-v3.11.0-12
Quay Config.yaml:
AUTHENTICATION_TYPE: OIDC FEATURE_TEAM_SYNCING: true FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: true AZUREID_LOGIN_CONFIG: CLIENT_ID: d38adba5-f32e-4342-b57e-bc0e6dcc4fbe CLIENT_SECRET: ****** LOGIN_SCOPES: [ 'openid', 'roles' ] PREFERRED_GROUP_CLAIM_NAME: quay311 OIDC_SERVER: https://login.microsoftonline.com/250926f3-c788-4a52-acfa-e3aac5386ac1/v2.0/ SERVICE_NAME: AzureAD
Quay APP POD logs:
gunicorn-web stdout | 2024-02-29 04:50:33,340 [239] [ERROR] [gunicorn.error] Error handling request /api/v1/signin gunicorn-web stdout | Traceback (most recent call last): gunicorn-web stdout | File "/app/lib/python3.9/site-packages/gunicorn/workers/base_async.py", line 55, in handle gunicorn-web stdout | self.handle_request(listener_name, req, client, addr) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/gunicorn/workers/ggevent.py", line 128, in handle_request gunicorn-web stdout | super().handle_request(listener_name, req, sock, addr) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/gunicorn/workers/base_async.py", line 108, in handle_request gunicorn-web stdout | respiter = self.wsgi(environ, resp.start_response) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask/app.py", line 2213, in __call__ gunicorn-web stdout | return self.wsgi_app(environ, start_response) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/werkzeug/middleware/proxy_fix.py", line 182, in __call__ gunicorn-web stdout | return self.app(environ, start_response) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask/app.py", line 2193, in wsgi_app gunicorn-web stdout | response = self.handle_exception(e) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 298, in error_router gunicorn-web stdout | return original_handler(e) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask/app.py", line 2190, in wsgi_app gunicorn-web stdout | response = self.full_dispatch_request() gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask/app.py", line 1486, in full_dispatch_request gunicorn-web stdout | rv = self.handle_user_exception(e) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 298, in error_router gunicorn-web stdout | return original_handler(e) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask/app.py", line 1484, in full_dispatch_request gunicorn-web stdout | rv = self.dispatch_request() gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask/app.py", line 1469, in dispatch_request gunicorn-web stdout | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) gunicorn-web stdout | File "/quay-registry/endpoints/decorators.py", line 285, in wrapper gunicorn-web stdout | return func(*args, **kwargs) gunicorn-web stdout | File "/quay-registry/auth/decorators.py", line 68, in wrapper gunicorn-web stdout | return func(*args, **kwargs) gunicorn-web stdout | File "/quay-registry/util/request.py", line 64, in wrapper gunicorn-web stdout | return decorator(func)(*args, **kwargs) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask_restful/utils/cors.py", line 35, in wrapped_function gunicorn-web stdout | resp = make_response(f(*args, **kwargs)) gunicorn-web stdout | File "/quay-registry/endpoints/csrf.py", line 71, in wrapper gunicorn-web stdout | resp = func(*args, **kwargs) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 489, in wrapper gunicorn-web stdout | resp = resource(*args, **kwargs) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask/views.py", line 109, in view gunicorn-web stdout | return current_app.ensure_sync(self.dispatch_request)(**kwargs) gunicorn-web stdout | File "/app/lib/python3.9/site-packages/flask_restful/__init__.py", line 604, in dispatch_request gunicorn-web stdout | resp = meth(*args, **kwargs) gunicorn-web stdout | File "/quay-registry/endpoints/decorators.py", line 189, in wrapper gunicorn-web stdout | return func(*args, **kwargs) gunicorn-web stdout | File "/quay-registry/endpoints/decorators.py", line 164, in wrapper gunicorn-web stdout | return func(*args, **kwargs) gunicorn-web stdout | File "/quay-registry/endpoints/api/__init__.py", line 573, in wrapped gunicorn-web stdout | return func(self, *args, **kwargs) gunicorn-web stdout | File "/quay-registry/endpoints/api/user.py", line 865, in post gunicorn-web stdout | return conduct_signin(username, password, invite_code=invite_code) gunicorn-web stdout | File "/quay-registry/endpoints/api/user.py", line 700, in conduct_signin gunicorn-web stdout | (found_user, error_message) = authentication.verify_and_link_user(username_or_email, password) gunicorn-web stdout | File "/quay-registry/data/users/__init__.py", line 349, in verify_and_link_user gunicorn-web stdout | (result, err_msg) = self.state.verify_and_link_user(username_or_email, password) gunicorn-web stdout | File "/quay-registry/data/users/federated.py", line 82, in verify_and_link_user gunicorn-web stdout | (credentials, err_msg) = self.verify_credentials(username_or_email, password) gunicorn-web stdout | TypeError: cannot unpack non-iterable NoneType object gunicorn-web stdout | 2024-02-29 04:50:33,342 [239] [INFO] [gunicorn.access] - - [29/Feb/2024:04:50:33 +0000] "POST /api/v1/signin HTTP/1.0" 500 0 "-" "-" nginx stdout | 10.131.0.28 (-) - - [29/Feb/2024:04:50:33 +0000] "POST /api/v1/signin HTTP/1.1" 500 141 "https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" (0.005 1907 0.005) gunicorn-web stdout | 2024-02-29 04:50:33,608 [240] [DEBUG] [app] Starting request: urn:request:5da4e1c0-59c6-4a03-9541-f74d10f3cd7d (/500) {'X-Forwarded-For': '221.218.181.255, 10.131.0.28'} gunicorn-web stdout | 2024-02-29 04:50:33,613 [240] [DEBUG] [app] Ending request: urn:request:5da4e1c0-59c6-4a03-9541-f74d10f3cd7d (/500) {'endpoint': 'web.internal_error_display', 'request_id': 'urn:request:5da4e1c0-59c6-4a03-9541-f74d10f3cd7d', 'remote_addr': '10.131.0.28', 'http_method': 'GET', 'original_url': 'https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/500', 'path': '/500', 'parameters': {}, 'json_body': None, 'confsha': 'd42b6c8c', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0'} gunicorn-web stdout | 2024-02-29 04:50:33,613 [240] [INFO] [gunicorn.access] 10.131.0.28 - - [29/Feb/2024:04:50:33 +0000] "GET /500 HTTP/1.0" 200 2629 "https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" nginx stdout | 10.131.0.28 (-) - - [29/Feb/2024:04:50:33 +0000] "GET /500 HTTP/1.1" 200 992 "https://quayregistry-quay-quay-enterprise-2145.apps.quayfipstest-2145.qe.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0" (0.006 1662 0.007)
- links to
- mentioned on