Skip to content

oidc: add option to override discovered issuer URL #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 17, 2021
Merged

oidc: add option to override discovered issuer URL #315

merged 1 commit into from
Sep 17, 2021

Conversation

ericchiang
Copy link
Collaborator

Fixes #250
Fixes #212

liafizan
liafizan reviewed Sep 16, 2021
View reviewed changes
Copy link

@liafizan liafizan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We tried the fix in our environment where our OIDC connect provider has the issuer mismatch problem and this fix worked perfectly! Thank you for working on this

@ericchiang
Copy link
Collaborator Author

Glad this works for you! I think that's the feedback I need. Going to go ahead and merge.

@ericchiang ericchiang merged commit d42db69 into coreos:v3 Sep 17, 2021
@ericchiang ericchiang deleted the issuer branch September 17, 2021 00:06
@ericchiang ericchiang mentioned this pull request Sep 17, 2021
Closed
@jimlambrt jimlambrt mentioned this pull request Mar 18, 2022
Closed
@schlauerlauer schlauerlauer mentioned this pull request Jan 8, 2024
Closed
5 tasks
@aramase aramase mentioned this pull request Feb 20, 2024
Closed
@aramase aramase mentioned this pull request Mar 1, 2024
Merged
ddl-ebrown added a commit to dominodatalab/flyte that referenced this pull request Aug 31, 2024
@ddl-ebrown
OIDC config to allow mismatched discovery / issuer
14474be 
 - There are a number of cases where the OIDC discovery url returns one
   issuer, but its desirable to use a separately configured / named
   issuer for validation instead.

   There are cases in Azure where this is necessary due to their
   non-standard OIDC configuration -- which is why this was originally
   added:
   coreos/go-oidc#315

   There are also cases where it's necessary to use an in-cluster
   service address, but browser clients are using the external ingress
   address. Due to cluster DNS configuration, it's possible that
   flyteadmin may be unable to resolve or use the public ingress
   address for an Idp, but the internal service address is available.
   This configuration change allows for that.
@ddl-ebrown ddl-ebrown mentioned this pull request Aug 31, 2024
Merged
3 tasks
ddl-ebrown added a commit to dominodatalab/flyte that referenced this pull request Aug 31, 2024
@ddl-ebrown
OIDC config to allow mismatched discovery / issuer
d897dfb 
 - There are a number of cases where the OIDC discovery url returns one
   issuer, but its desirable to use a separately configured / named
   issuer for validation instead.

   There are cases in Azure where this is necessary due to their
   non-standard OIDC configuration -- which is why this was originally
   added:
   coreos/go-oidc#315

   There are also cases where it's necessary to use an in-cluster
   service address, but browser clients are using the external ingress
   address. Due to cluster DNS configuration, it's possible that
   flyteadmin may be unable to resolve or use the public ingress
   address for an Idp, but the internal service address is available.
   This configuration change allows for that.

Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
Sovietaced pushed a commit to Sovietaced/flyte that referenced this pull request Apr 17, 2025
@ddl-ebrown @Sovietaced
OIDC config to allow mismatched discovery / issuer
eb6a9ea 
 - There are a number of cases where the OIDC discovery url returns one
   issuer, but its desirable to use a separately configured / named
   issuer for validation instead.

   There are cases in Azure where this is necessary due to their
   non-standard OIDC configuration -- which is why this was originally
   added:
   coreos/go-oidc#315

   There are also cases where it's necessary to use an in-cluster
   service address, but browser clients are using the external ingress
   address. Due to cluster DNS configuration, it's possible that
   flyteadmin may be unable to resolve or use the public ingress
   address for an Idp, but the internal service address is available.
   This configuration change allows for that.

Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
ddl-ebrown added a commit to dominodatalab/flyte that referenced this pull request Apr 17, 2025
@ddl-ebrown
OIDC config to allow mismatched discovery / issuer
4c5268d 
 - There are a number of cases where the OIDC discovery url returns one
   issuer, but its desirable to use a separately configured / named
   issuer for validation instead.

   There are cases in Azure where this is necessary due to their
   non-standard OIDC configuration -- which is why this was originally
   added:
   coreos/go-oidc#315

   There are also cases where it's necessary to use an in-cluster
   service address, but browser clients are using the external ingress
   address. Due to cluster DNS configuration, it's possible that
   flyteadmin may be unable to resolve or use the public ingress
   address for an Idp, but the internal service address is available.
   This configuration change allows for that.

Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
ddl-ebrown added a commit to dominodatalab/flyte that referenced this pull request Apr 17, 2025
@ddl-ebrown
OIDC config to allow mismatched discovery / issuer
662cec7 
 - There are a number of cases where the OIDC discovery url returns one
   issuer, but its desirable to use a separately configured / named
   issuer for validation instead.

   There are cases in Azure where this is necessary due to their
   non-standard OIDC configuration -- which is why this was originally
   added:
   coreos/go-oidc#315

   There are also cases where it's necessary to use an in-cluster
   service address, but browser clients are using the external ingress
   address. Due to cluster DNS configuration, it's possible that
   flyteadmin may be unable to resolve or use the public ingress
   address for an Idp, but the internal service address is available.
   This configuration change allows for that.

 - Regenerated flyteadmin code through mise with:
   mise x go@1.22 -- make generate

Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
Sovietaced pushed a commit to flyteorg/flyte that referenced this pull request Apr 17, 2025
@ddl-ebrown
OIDC config to allow mismatched discovery / issuer (#5712)
42002f4 
- There are a number of cases where the OIDC discovery url returns one
   issuer, but its desirable to use a separately configured / named
   issuer for validation instead.

   There are cases in Azure where this is necessary due to their
   non-standard OIDC configuration -- which is why this was originally
   added:
   coreos/go-oidc#315

   There are also cases where it's necessary to use an in-cluster
   service address, but browser clients are using the external ingress
   address. Due to cluster DNS configuration, it's possible that
   flyteadmin may be unable to resolve or use the public ingress
   address for an Idp, but the internal service address is available.
   This configuration change allows for that.

 - Regenerated flyteadmin code through mise with:
   mise x go@1.22 -- make generate

Signed-off-by: ddl-ebrown <ethan.brown@dominodatalab.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@liafizan liafizan liafizan left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Issuer Name Mismatch Document Azure "{tenantid}" discovery quirks
2 participants
@ericchiang @liafizan