You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The specified client (sigstore) does exist inside Keycloak. Client authentication is enabled on Keycloak side with a set Client ID and secret. client-credentials.txt file exists and contains the correct secret. OAuth 2.0 Device Authorization Grant is enabled as well. I was able to sign an image using normal flow, but not with device flow. I found an issue and a merged MR, looks like those are related to my problem? #1309#1310
At a glance this should be passed, user-provided client secrets have been supported for some time. If someone would like to dig into the code and see where the secret isn't getting passed, open to a PR to fix this.
@tailtwo did you find a resolution to this? @haydentherapper I'm also seeing this issue for OAUTH2_DEVICE_AUTH_ERROR. The exact same parameters (client id, secret, etc) work fine when running outside of non-interactive mode, however, when running in non-interactive mode, it throws invalid_client_credentials
@haydentherapper I found that the client_secret is not being passed here:
which causes an issue with keycloak, however, the issue is moot, because even if its passed correctly, keycloak device flow requires brower interactivity, so it doesn't work anyways.
On a separate note @haydentherapper is their any interest in a PR to add client_credentials as another cosign flow? Because the device flow doesn't work with keycloak, I ended up whipping that up, is there a reason that already isn't a flow? Happy to PR it back in -- would rather have it that way.
Description
It seems that the OIDC client secret is not taken into account when Cosign is using device flow.
Gives me :
Keycloak log :
The specified client (
sigstore
) does exist inside Keycloak. Client authentication is enabled on Keycloak side with a set Client ID and secret.client-credentials.txt
file exists and contains the correct secret. OAuth 2.0 Device Authorization Grant is enabled as well. I was able to sign an image using normal flow, but not with device flow. I found an issue and a merged MR, looks like those are related to my problem? #1309 #1310Version
GitVersion: v2.2.0
GitCommit: 546f1c5
The text was updated successfully, but these errors were encountered: