Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: Auth
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%

SFDC Cases Counter:
SFDC Cases Links:

Description

1. Proposed title of this feature request

Allow oauth operator to ignore userinfo url from discovery

2. What is the nature and description of the request?

we have some issues to integrate ADFS openid provider with openshift.

It's observed in plenty of customers that when the token is customized we have this error at ADFS side:

MSIS9921: Received invalid UserInfo request. Audience 'microsoft:identityserver:e73c01dd-6e31-4785-b5dc-7f198d5dd0b9' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'."

the only way we manage to integrate is to ignore userinfo url. In that case we will be skipping:

https://github.com/openshift/oauth-server/blob/b5790c9a24f45ca817628498dbab8091e29528a6/pkg/oauth/external/openid/openid.go#L168-L193

and that will allow to have this integration working.

This should be solved at ADFS side.

I am reporting this RFE just in case we want to manage this integration from our side.

Attachments

Issue Links

is duplicated by

RFE-3596 Support for ADFS openid identity provider.

Rejected

links to

KCS 6960548: How to ignore userinfo token in openshift openid identity provider configuration

openshift/openshift-docs#45263: OSDOCS-3533: Adding ADFS to list of supported OIDC providers

openshift/openshift-docs#45264: OSDOCS-3533: Added release note for ADFS as supported OIDC provider

Activity

People

Assignee:: Anjali Telang

Reporter:: German Parente

Votes:: 1 Vote for this issue

Watchers:: 21 Start watching this issue

Dates

Created:: 2022/04/11 1:04 PM

Updated:: 2024/02/14 2:15 PM

Resolved:: 2022/05/10 4:27 AM