From 1ad28ec182578cceb1967446c3c3a9cc23d5d807 Mon Sep 17 00:00:00 2001 From: Krunal Chheda Date: Wed, 4 Mar 2026 12:05:36 -0500 Subject: [PATCH] rgw/oidc: Allow thumbprints to be optional for oidc operations. Signed-off-by: Krunal Chheda --- src/rgw/rgw_rest_oidc_provider.cc | 4 ---- src/rgw/rgw_rest_sts.cc | 15 ++++++++++++++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/rgw/rgw_rest_oidc_provider.cc b/src/rgw/rgw_rest_oidc_provider.cc index f4b49de96276..fd3ca9ff3be6 100644 --- a/src/rgw/rgw_rest_oidc_provider.cc +++ b/src/rgw/rgw_rest_oidc_provider.cc @@ -104,10 +104,6 @@ int RGWCreateOIDCProvider::init_processing(optional_yield y) } } - if (info.thumbprints.empty()) { - s->err.message = "Missing required element ThumbprintList"; - return -EINVAL; - } if (info.thumbprints.size() > MAX_OIDC_NUM_THUMBPRINTS) { s->err.message = "ThumbprintList cannot exceed the maximum size of " + std::to_string(MAX_OIDC_NUM_THUMBPRINTS); diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index e2d16d56988b..f5f9041d47be 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -586,6 +586,12 @@ bool WebTokenEngine::verify_oidc_thumbprint(const DoutPrefixProvider* dpp, const return true; } + if (thumbprints.empty()) { + ldpp_dout(dpp, 5) << "No thumbprints registered with oidc provider," + " skipping JWKS url verification" << dendl; + return true; + } + // Fetch and verify cert according to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html const auto hostname = get_top_level_domain_from_host(dpp, cert_url); ldpp_dout(dpp, 20) << "Validating hostname: " << hostname << dendl; @@ -652,7 +658,14 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec if (JSONDecoder::decode_json("x5c", x5c, &k_parser)) { string cert; bool found_valid_cert = false; - bool skip_thumbprint_verification = cct->_conf.get_val("rgw_enable_jwks_url_verification"); + bool skip_thumbprint_verification = cct->_conf.get_val( + "rgw_enable_jwks_url_verification"); + if (!skip_thumbprint_verification && thumbprints.empty()) { + ldpp_dout(dpp, 0) << "x5c cert validation requires registered " + "thumbprints, but thumbprint list is empty" + << dendl; + throw std::system_error(EINVAL, std::system_category()); + } for (auto& it : x5c) { cert = "-----BEGIN CERTIFICATE-----\n" + it + "\n-----END CERTIFICATE-----"; ldpp_dout(dpp, 20) << "Certificate is: " << cert.c_str() << dendl; -- 2.47.3