The TiDB Dashboard SSO option does not have a place to fill in the secret, resulting in OIDC authentication failure with the error "Invalid client secret"

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: tidb-dashboard sso选项没有让填secret的地方,导致OIDC认证失败报“Invalid client secret”

| username: dba-kit

[TiDB Usage Environment] Production Environment
[TiDB Version] v6.5.1
When enabling SSO, it was found that only OIDC Client ID and Discovery URL entries were provided, and there was no entry for the secret.

After the configuration is completed, you can jump to the OIDC authentication interface for authentication, but an error will be reported. The error screenshot is:
image
Detailed content: Error: authenticate failed, caused by: SSO is not configured correctly, caused by: oidc: exchange failed, caused by: oauth2: cannot fetch token: 401 Unauthorized Response: {"error":"unauthorized_client","error_description":"Invalid client secret"}

| username: dba-kit | Original post link

For now, the secret has been removed, and OIDC authentication is now possible. However, it is best to add a place to transmit the secret on the page, otherwise, it is prone to DoS attacks.

| username: Billmay表妹 | Original post link

Regarding this issue, I consulted with the security team. This problem is due to the dashboard’s incomplete functionality and is not considered a vulnerability. However, since it is related to security, our security team is currently communicating with the dashboard team. If there are any further conclusions, we will update you.

| username: dba-kit | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.