Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

oidc is invalid when jwtIssuer includes protocol #424

Closed
drewwells opened this issue Aug 4, 2023 · 0 comments · Fixed by #425
Closed

oidc is invalid when jwtIssuer includes protocol #424

drewwells opened this issue Aug 4, 2023 · 0 comments · Fixed by #425

Comments

@drewwells
Copy link
Contributor

jwtIssuer was included as a domain in the oidc configuration. The problem is that https:// is not valid here, so oidc can not start when a jwtIssuer is defined with https://

Example

      "domains": [
        "spire-oidc-spiffe-oidc-discovery-provider",
        "spire-oidc-spiffe-oidc-discovery-provider.spire-server",
        "spire-oidc-spiffe-oidc-discovery-provider.spire-server.svc.cluster.local",
        "https://spire-env-4.test.infoblox.com",
        "localhost"
      ],

$ k -n spire-server logs -f spire-spiffe-oidc-discovery-provider-f5874f988-sxxpv
domain "https://spire-env-4.test.infoblox.com" is not a valid domain name: idna: disallowed rune U+003A

The issue is that protocols are not allowed and jwtIssuer can be a URI https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
drewwells added a commit to drewwells/helm-charts that referenced this issue Aug 4, 2023
@drewwells
domains can not include URIs fixes spiffe#424
19131be 
Signed-off-by: Drew Wells <dwells@infoblox.com>
drewwells added a commit to drewwells/helm-charts that referenced this issue Aug 4, 2023
@drewwells
domains can not include URIs fixes spiffe#424
2330630 
Signed-off-by: Drew Wells <dwells@infoblox.com>
drewwells added a commit to drewwells/helm-charts that referenced this issue Aug 5, 2023
@drewwells
domains can not include URIs fixes spiffe#424
80549f2 
    use a real URI for the production example as a test case for this

Signed-off-by: Drew Wells <dwells@infoblox.com>
drewwells added a commit to drewwells/helm-charts that referenced this issue Aug 8, 2023
@drewwells
domains can not include URIs fixes spiffe#424
213a324 
    use a real URI for the production example as a test case for this

Signed-off-by: Drew Wells <dwells@infoblox.com>
drewwells added a commit to drewwells/helm-charts that referenced this issue Aug 8, 2023
@drewwells
domains can not include URIs fixes spiffe#424
2398a16 
    use a real URI for the production example as a test case for this

Signed-off-by: Drew Wells <dwells@infoblox.com>
@drewwells drewwells mentioned this issue Aug 8, 2023
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix jwtIssuer to allow for Uris including scheme drewwells/helm-charts
1 participant
@drewwells