oidc authentication plugin: don't trim issuer URLs with trailing slashes #29860
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-github-robot
added
size/L
ericchiang
force-pushed
the
fix-openid-connect-provider-with-trailing-slash
branch
from
e8e9277 to
ef8e5cb
Compare
The issuer URL passed to the plugin must identically match the issuer URL returned by OpenID Connect discovery. However, the plugin currently trims all trailing slashes from issuer URLs, causing a mismatch. Since the go-oidc client already handles this case correctly, don't trim the path.
ericchiang
force-pushed
the
fix-openid-connect-provider-with-trailing-slash
branch
from
ef8e5cb to
bc3dc12
Compare
|
GCE e2e build/test passed for commit bc3dc12. |
|
@kubernetes/sig-auth beyond test updates this just one line change[0] to the oidc authenticator. It okay for @yifan-gu to LGTM this? [0] https://github.com/kubernetes/kubernetes/pull/29860/files#diff-ab7eb2396e8b0f5861fc6245a6dd307aR176 |
|
fine with me |
liggitt
added
lgtm
|
LGTM |
1 similar comment
|
LGTM |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit bc3dc12. |
|
Automatic merge from submit-queue |
liggitt
added
release-note
jessfraz
pushed a commit
to jessfraz/kubernetes
that referenced
this pull request
Aug 19, 2016
…r-dont-trim-issuer Automatic merge from submit-queue oidc auth provider: don't trim issuer URL This mirrors a similar side fix for the API server authenticator. Don't trim the issuer URL provided by the user since OpenID Connect mandates that this URL exactly matches the URL returned by the issuer during discovery. This change only impacts clients attempting to connect to providers that are non-spec compliant. No test updates since this is already tested by the go-oidc client package. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation Server side fix kubernetes#29860 Updates kubernetes#29749 cc @kubernetes/sig-auth @hanikesn
shyamjvs
pushed a commit
to shyamjvs/kubernetes
that referenced
this pull request
Dec 1, 2016
…ck-of-#29860-upstream-release-1.3 Automatic merge from submit-queue Automated cherry pick of kubernetes#29860 Cherry pick of kubernetes#29860 on release-1.3.
shouhong
pushed a commit
to shouhong/kubernetes
that referenced
this pull request
Feb 14, 2017
…ck-of-#29860-upstream-release-1.3 Automatic merge from submit-queue Automated cherry pick of kubernetes#29860 Cherry pick of kubernetes#29860 on release-1.3.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The issuer URL passed to the plugin must identically match the issuer
URL returned by OpenID Connect discovery. However, the plugin currently
trims all trailing slashes from issuer URLs, causing a mismatch. Since
the go-oidc client already handles this case correctly, don't trim the
path.
Closes #29749
cc @hanikesn @kubernetes/sig-auth