Mathias Gebbe

icon indicating an email [email protected]

icon location Osnabrück

Results 10 comments of Mathias Gebbe

from version V7.2.0 silent refresh not working, oauth2-proxy validates ID token which will be valid for initial 1 hour only. causing refresh flow to trigger reauthentication to IDP after 1 hour from initial login

Are you using Azure AD as OIDC provider? We are currently facing the same issue. Can you proof its not happening with Version 7.1.3

from version V7.2.0 silent refresh not working, oauth2-proxy validates ID token which will be valid for initial 1 hour only. causing refresh flow to trigger reauthentication to IDP after 1 hour from initial login

I could fix the issue for us by adding `offline_access` to the scope. I compleltly missed that... We are using OIDC with Azure AD. Now it works! We have to...

whitelist-domain redirect to http. Navigation to http: URLs allowed in Login

hey! thanks for the quick response. Here I share the content of our pentest report as promised: In the login processing, the URL specified in the "rd" parameter is used...

whitelist-domain redirect to http. Navigation to http: URLs allowed in Login

--whitelist-domain | string \| list | allowed domains for redirection after authentication. Prefix domain with a . or a *. to allow subdomains (e.g. .example.com, *.example.com) -- | -- |...

helm-update with specific includes/excludes of helm-charts

Since I run the `kluctl helm-update --upgrade --commit` command for a large project, it unfortunately happens that charts are updated to beta or release candidate `Updated helm chart capi-aws-bootstrap/cilium from...

delete comments in the stream

thank you!!! i had problems with shared posts that shows many many extra menus. but this was caused by my own changes i think... you don't get extra-menu on shared...

429 failed to parse unknown error format

This will be the HTML page that GitLab delivers in the event of a 429 error. More correctly, perhaps JSON should be returned here (depending on what we send in...

[Feature]: JWT validation only mode

Sorry for the advertising, for this challenge I have published this tool. You might want to fork it and rebuild it locally https://github.com/matzegebbe/web-jwks-validator

Retrieving the manifest for an official DockerHub images (without the library prefix) causes a 500 error instead of a 401 error

it still happens with `3.0.0-alpha.1` ```bash docker run -it --rm -e REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io -p 5000:5000 ghcr.io/distribution/distribution:3.0.0-alpha.1 ``` ```bash curl -I https://registry-1.docker.io/v2/openjdk/manifests/sha256:2775e341f3c17e6e3412c2edaa604f9d851f900757c7f193a1521bab8b4f46cb # HTTP/1.1 401 Unauthorized # body: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"openjdk","Action":"pull"}]}]} ``` ```bash...

Retrieving the manifest for an official DockerHub images (without the library prefix) causes a 500 error instead of a 401 error

Thanks for checking so far. This is also what I see. We have subsequent errors that result in a 500 error, and the original 401 error gets swallowed. ![image](https://github.com/distribution/distribution/assets/3482021/fba69221-64b5-42e1-b1f5-40eb63aa2b9d)