Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-6357

ACS Central only supports configuring OIDC providers via the OpenID Connect discovery mechanism

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • rhacs
    • False
    • None
    • False
    • Not Selected

      In case the OIDC provider is not reachable from the ACS Central backend, fragment and query callback methods for user authentication might still work because they do not require a backchannel between the backend and the identity provider. However, currently we only support configuring OIDC providers via the OpenID Connect discovery mechanism, i.e., .well-known/openid-configuration which requires the backend to talk to the identity provider at least once during the setup.

      This prevents using privately running identity providers with ACS running on public infrastructure, like ACS cloud service. We can allow configuring OIDC provider manually to resolve this.

      One workaround could be exposing/tunneling just the well-known endpoint for ACS because I think for fragment and query callback methods we don't need to contact IdP from the backend. Another alternative would be to require users to federate or expose their identity providers for ACS Central.

      Originally brought up by rh-ee-dinoue.

            atelang@redhat.com Anjali Telang
            aruklets@redhat.com Alexander Rukletsov
            ACS Merlin (authn/authz/cli/ci/image-signing)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: