From 5a86889ee20ea8d89b3dd50f464dbe96d8533df0 Mon Sep 17 00:00:00 2001 From: Andrea Hoffer Date: Mon, 22 Jul 2019 14:25:30 -0400 Subject: [PATCH] BZ-1730609: Clarify changes for 4.1 --- .../identity-provider-about-request-header.adoc | 16 ++++++---------- modules/identity-provider-request-header-CR.adoc | 8 +++++++- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/modules/identity-provider-about-request-header.adoc b/modules/identity-provider-about-request-header.adoc index 9f1f6155fc..7a69c2466a 100644 --- a/modules/identity-provider-about-request-header.adoc +++ b/modules/identity-provider-about-request-header.adoc @@ -20,13 +20,13 @@ requests for OAuth tokens to the proxy endpoint that proxies to To redirect unauthenticated requests from clients expecting browser-based login flows: -1. Set the `provider.loginURL` parameter to the authenticating proxy URL that +* Set the `provider.loginURL` parameter to the authenticating proxy URL that will authenticate interactive clients and then proxy the request to `https://__/oauth/authorize`. To redirect unauthenticated requests from clients expecting `WWW-Authenticate` challenges: -1. Set the `provider.challengeURL` parameter to the authenticating proxy URL that +* Set the `provider.challengeURL` parameter to the authenticating proxy URL that will authenticate clients expecting `WWW-Authenticate` challenges and then proxy the request to `https://__/oauth/authorize`. @@ -35,19 +35,15 @@ the following tokens in the query portion of the URL: * `${url}` is replaced with the current URL, escaped to be safe in a query parameter. + -For example: `https://www.example.com/sso-login?then=${url}` +For example: [x-]`https://www.example.com/sso-login?then=${url}` * `${query}` is replaced with the current query string, unescaped. + -For example: `https://www.example.com/auth-proxy/oauth/authorize?${query}` +For example: [x-]`https://www.example.com/auth-proxy/oauth/authorize?${query}` -[WARNING] +[IMPORTANT] ==== -If you expect unauthenticated requests to reach the OAuth server, a `clientCA` -parameter MUST be set for this identity provider, so that incoming requests -are checked for a valid client certificate before the request's headers are -checked for a user name. Otherwise, any direct request to the OAuth server can -impersonate any identity from this provider, merely by setting a request header. +As of {product-title} 4.1, your proxy must support mutual TLS. ==== [id="sspi-windows_{context}"] diff --git a/modules/identity-provider-request-header-CR.adoc b/modules/identity-provider-request-header-CR.adoc index b6052af59c..e272d383fc 100644 --- a/modules/identity-provider-request-header-CR.adoc +++ b/modules/identity-provider-request-header-CR.adoc @@ -58,10 +58,16 @@ If this attribute is not defined, then `challengeURL` must be used. <5> Reference to an {product-title} ConfigMap containing a PEM-encoded certificate bundle. Used as a trust anchor to validate the TLS certificates presented by the remote server. ++ +[IMPORTANT] +==== +As of {product-title} 4.1, the `ca` field is required for this identity +provider. This means that your proxy must support mutual TLS. +==== <6> Optional: list of common names (`cn`). If set, a valid client certificate with a Common Name (`cn`) in the specified list must be presented before the request headers are checked for user names. If empty, any Common Name is allowed. Can only be used in combination -with `clientCA`. +with `ca`. <7> Header names to check, in order, for the user identity. The first header containing a value is used as the identity. Required, case-insensitive. <8> Header names to check, in order, for an email address. The first header containing