-
Feature Request
-
Resolution: Done
-
Critical
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
1. Proposed title of this feature request
Allow bypassing "checkOIDCPasswordGrantFlow" for OIDC IdentityProviders
2. What is the nature and description of the request?
The Control Plane Operator currently reaches out to the specified endpoint for OIDC Identity Providers during [{{checkOIDCPasswordGrantFlow}} validation](https://github.com/openshift/hypershift/blob/main/control-plane-operator/controllers/hostedcontrolplane/oauth/idp_convert.go#L380-L388). For "private" OIDC endpoints, the CPO attempts DNS resolution from the management cluster, however the resolution fails.
In this case, we should either implicitly skip the validation step, or allow an explicit "skip validation" flag.
3. Why does the customer need this? (List the business requirements here)
The customer
- Cannot expose their OIDC endpoint with a public DNS entry
- Expects their OIDC endpoint to be supported
- Is in favor of this "skip validation" feature
4. List any affected packages or components.
HyperShift, CPO
- depends on
-
OCPBUGS-37753 discoverOpenIDURLs and checkOIDCPasswordGrantFlow fail if endpoints are private to the data plane
- Closed
- is related to
-
RFE-6872 Surface control-plane operator errors in HostedControlPlane conditions
- Backlog
-
OCPBUGS-32166 Microsoft v2.0 IDP fails to auth with HTTP response for HTTPS client
- Closed
- links to