Commit 0341d3d3 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #30944 from ericchiang/oidc-auth-provider-dont-trim-issuer

Automatic merge from submit-queue oidc auth provider: don't trim issuer URL This mirrors a similar side fix for the API server authenticator. Don't trim the issuer URL provided by the user since OpenID Connect mandates that this URL exactly matches the URL returned by the issuer during discovery. This change only impacts clients attempting to connect to providers that are non-spec compliant. No test updates since this is already tested by the go-oidc client package. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation Server side fix #29860 Updates #29749 cc @kubernetes/sig-auth @hanikesn
parents 56045bbd 3d2ee4e7
...@@ -97,7 +97,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A ...@@ -97,7 +97,7 @@ func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.A
} }
hc := &http.Client{Transport: trans} hc := &http.Client{Transport: trans}
providerCfg, err := oidc.FetchProviderConfig(hc, strings.TrimSuffix(issuer, "/")) providerCfg, err := oidc.FetchProviderConfig(hc, issuer)
if err != nil { if err != nil {
return nil, fmt.Errorf("error fetching provider config: %v", err) return nil, fmt.Errorf("error fetching provider config: %v", err)
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment