Project

General

Profile

Actions
Copy link

Bug #63732

open

RGW jwt auth not adhering to RFC

Added by Johannes Liebl 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
v17.2.7
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Hi Ceph team,

I was testing out OIDC auth when I came across a Bug that broke that feature completely for us.
Our OIDC provider does not provide the "x5c" Parameter inside the JWK under the "jwks_uri" endpoint.
This is in accordance with the RFC 7517 section 4.7 that the use of this parameter is Optional (see https://datatracker.ietf.org/doc/html/rfc7517#section-4.7).

Unfortunately in the WebTokenEngine::validate_signature this parameter is explicitly looked for which in turn breaks ODIC for us.
Please fix the validation to adhere to the RFC

Actions
Copy link
 #1

Updated by Johannes Liebl 5 months ago

I found a closed pull requests that addreses this issue: https://github.com/ceph/ceph/pull/41525
Unfortunately it is abandoned

Actions
Copy link

Also available in: Atom PDF