Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2770

Allow oauth operator to ignore userinfo url from discovery

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • None
    • Auth
    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      1. Proposed title of this feature request

      Allow oauth operator to ignore userinfo url from discovery

      2. What is the nature and description of the request?

      we have some issues to integrate ADFS openid provider with openshift.

      It's observed in plenty of customers that when the token is customized we have this error at ADFS side:

      MSIS9921: Received invalid UserInfo request. Audience 'microsoft:identityserver:e73c01dd-6e31-4785-b5dc-7f198d5dd0b9' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'."

      the only way we manage to integrate is to ignore userinfo url. In that case we will be skipping:

      https://github.com/openshift/oauth-server/blob/b5790c9a24f45ca817628498dbab8091e29528a6/pkg/oauth/external/openid/openid.go#L168-L193

      and that will allow to have this integration working.

      This should be solved at ADFS side.

      I am reporting this RFE just in case we want to manage this integration from our side.

              atelang@redhat.com Anjali Telang
              rhn-support-gparente German Parente
              None
              Votes:
              1 Vote for this issue
              Watchers:
              22 Start watching this issue

                Created:
                Updated:
                Resolved:
                None
                None