Actions
Bug #63732
openRGW jwt auth not adhering to RFC
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:
0%
Source:
Community (user)
Tags:
Backport:
Quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Description
Hi Ceph team,
I was testing out OIDC auth when I came across a Bug that broke that feature completely for us.
Our OIDC provider does not provide the "x5c" Parameter inside the JWK under the "jwks_uri" endpoint.
This is in accordance with the RFC 7517 section 4.7 that the use of this parameter is Optional (see https://datatracker.ietf.org/doc/html/rfc7517#section-4.7).
Unfortunately in the WebTokenEngine::validate_signature this parameter is explicitly looked for which in turn breaks ODIC for us.
Please fix the validation to adhere to the RFC
Updated by Johannes Liebl 5 months ago
I found a closed pull requests that addreses this issue: https://github.com/ceph/ceph/pull/41525
Unfortunately it is abandoned
Actions