From: Krunal Chheda Date: Wed, 4 Mar 2026 17:05:36 +0000 (-0500) Subject: rgw/oidc: Allow thumbprints to be optional for oidc operations. X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1ad28ec182578cceb1967446c3c3a9cc23d5d807;p=ceph.git rgw/oidc: Allow thumbprints to be optional for oidc operations. Signed-off-by: Krunal Chheda --- diff --git a/src/rgw/rgw_rest_oidc_provider.cc b/src/rgw/rgw_rest_oidc_provider.cc index f4b49de96276..fd3ca9ff3be6 100644 --- a/src/rgw/rgw_rest_oidc_provider.cc +++ b/src/rgw/rgw_rest_oidc_provider.cc @@ -104,10 +104,6 @@ int RGWCreateOIDCProvider::init_processing(optional_yield y) } } - if (info.thumbprints.empty()) { - s->err.message = "Missing required element ThumbprintList"; - return -EINVAL; - } if (info.thumbprints.size() > MAX_OIDC_NUM_THUMBPRINTS) { s->err.message = "ThumbprintList cannot exceed the maximum size of " + std::to_string(MAX_OIDC_NUM_THUMBPRINTS); diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index e2d16d56988b..f5f9041d47be 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -586,6 +586,12 @@ bool WebTokenEngine::verify_oidc_thumbprint(const DoutPrefixProvider* dpp, const return true; } + if (thumbprints.empty()) { + ldpp_dout(dpp, 5) << "No thumbprints registered with oidc provider," + " skipping JWKS url verification" << dendl; + return true; + } + // Fetch and verify cert according to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html const auto hostname = get_top_level_domain_from_host(dpp, cert_url); ldpp_dout(dpp, 20) << "Validating hostname: " << hostname << dendl; @@ -652,7 +658,14 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec if (JSONDecoder::decode_json("x5c", x5c, &k_parser)) { string cert; bool found_valid_cert = false; - bool skip_thumbprint_verification = cct->_conf.get_val("rgw_enable_jwks_url_verification"); + bool skip_thumbprint_verification = cct->_conf.get_val( + "rgw_enable_jwks_url_verification"); + if (!skip_thumbprint_verification && thumbprints.empty()) { + ldpp_dout(dpp, 0) << "x5c cert validation requires registered " + "thumbprints, but thumbprint list is empty" + << dendl; + throw std::system_error(EINVAL, std::system_category()); + } for (auto& it : x5c) { cert = "-----BEGIN CERTIFICATE-----\n" + it + "\n-----END CERTIFICATE-----"; ldpp_dout(dpp, 20) << "Certificate is: " << cert.c_str() << dendl;