PROJQUAY-10283: update Entra OIDC server example#1626
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
Surge Preview Deployment✅ Preview deployed successfully! 🔗 Preview URL: https://quay-docs-pr-1626.surge.sh Built from commit 48526c1 This preview will be updated on every push to this PR. |
| **Default:** `False` | ||
| **Default:** `false` | ||
|
|
||
| |*PKCE_METHOD* |Integer | The code challenge method used to generate the `code_challenge` sent in the initial authorization request. + |
There was a problem hiding this comment.
In oidc-config-fields.adoc, PKCE_METHOD is listed with type Integer. The codebase (oauth/oidc.py:147-152) shows:
def pkce_method(self) -> str:
method = self.config.get("PKCE_METHOD", "S256")
allowed_methods = {"S256", "plain"}
It's a String, valid values are "S256" or "plain". The docs should also list "plain" as a valid option.
| <2> The client ID of the application that is being registered with the identity provider. | ||
| <3> The client secret of the application that is being registered with the identity provider. | ||
| <4> The address of the OIDC server that is being used for authentication. In this example, you must use `sts.windows.net` as the issuer identifier. Using `https://login.microsoftonline.com` results in the following error: `Could not create provider for AzureAD. Error: oidc: issuer did not match the issuer returned by provider, expected "https://login.microsoftonline.com/73f2e714-xxxx-xxxx-xxxx-dffe1df8a5d5" got "https://sts.windows.net/73f2e714-xxxx-xxxx-xxxx-dffe1df8a5d5/"`. | ||
| <4> The address of the OIDC server that is being used for authentication. For Microsoft Entra ID, you can typically use the v2 endpoint, for example `\https://login.microsoftonline.com/<tenant_id>/v2.0/`. |
There was a problem hiding this comment.
"typically" is vague — it either works or it doesn't.
The v2.0 endpoint returns an issuer of https://login.microsoftonline.com/<tenant_id>/v2.0 in its discovery document, which matches the OIDC_SERVER value. The v1 endpoint returns issuer https://sts.windows.net/<tenant_id>/ — a different domain. The code at oauth/oidc.py:237 reads the issuer from the discovery document and loginmanager.py:55 compares it with rstrip("/"). So v2.0 works because the issuer matches. This should be stated explicitly, not hedged with "typically."
No mention of OIDC_ISSUER fallback — The codebase has an OIDC_ISSUER override field (oauth/oidc.py:240) specifically designed for issuer mismatch scenarios. If a customer must use the v1 endpoint for some reason, they can set OIDC_ISSUER: https://sts.windows.net/<tenant_id>/. This is undocumented in both the old and new docs.
2 participants
No description provided.