MyFavMirrors
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
minio/internal/config/identity/openid/jwt.go

659 lines
19 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 15:41:13 -04:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
package openid
import (
"crypto"
Ensure that role ARNs don't collide (#13817) This is to prepare for multiple providers enhancement.
2021-12-03 16:15:56 -05:00
"crypto/sha1"
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
"crypto/sha256"
Ensure that role ARNs don't collide (#13817) This is to prepare for multiple providers enhancement.
2021-12-03 16:15:56 -05:00
"encoding/base64"
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
"encoding/json"
"errors"
"fmt"
"io"
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
"net"
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
"net/http"
"strconv"
fix: support client customized scopes for OpenID (#9880) Fixes #9238
2020-06-22 15:08:50 -04:00
"strings"
fix: referesh JWKS public keys upon failure (#10368) fixes #10359
2020-08-28 11:15:12 -04:00
"sync"
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
"time"
move to jwt-go v4 with correct releases (#13586)
2021-11-05 15:20:08 -04:00
jwtgo "github.com/golang-jwt/jwt/v4"
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
"github.com/minio/madmin-go"
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
"github.com/minio/minio/internal/arn"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 17:59:40 -04:00
"github.com/minio/minio/internal/auth"
"github.com/minio/minio/internal/config"
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
"github.com/minio/minio/internal/config/identity/openid/provider"
move the dependency to minio/pkg for common libraries (#12397)
2021-05-28 18:17:01 -04:00
"github.com/minio/pkg/env"
move to iam, bucket policy from minio/pkg (#12400)
2021-05-30 00:16:42 -04:00
iampolicy "github.com/minio/pkg/iam/policy"
move internal/net to pkg/net package (#12505)
2021-06-14 17:54:37 -04:00
xnet "github.com/minio/pkg/net"
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
)
// Config - OpenID Config
// RSA authentication target arguments
type Config struct {
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
*sync.RWMutex
Enabled bool `json:"enabled"`
JWKS struct {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
URL *xnet.URL `json:"url"`
} `json:"jwks"`
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2
2021-11-16 21:40:39 -05:00
URL *xnet.URL `json:"url,omitempty"`
ClaimPrefix string `json:"claimPrefix,omitempty"`
ClaimName string `json:"claimName,omitempty"`
ClaimUserinfo bool `json:"claimUserInfo,omitempty"`
RedirectURI string `json:"redirectURI,omitempty"`
RedirectURIDynamic bool `json:"redirectURIDynamic"`
DiscoveryDoc DiscoveryDoc
ClientID string
ClientSecret string
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
RolePolicy string
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
roleArn arn.ARN
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
provider provider.Provider
publicKeys map[string]crypto.PublicKey
transport *http.Transport
closeRespFn func(io.ReadCloser)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
// UserInfo returns claims for authenticated user from userInfo endpoint.
//
// Some OIDC implementations such as GitLab do not support
// claims as part of the normal oauth2 flow, instead rely
// on service providers making calls to IDP to fetch additional
// claims available from the UserInfo endpoint
func (r *Config) UserInfo(accessToken string) (map[string]interface{}, error) {
if r.JWKS.URL == nil || r.JWKS.URL.String() == "" {
return nil, errors.New("openid not configured")
}
transport := http.DefaultTransport
if r.transport != nil {
transport = r.transport
}
client := &http.Client{
Transport: transport,
}
req, err := http.NewRequest(http.MethodPost, r.DiscoveryDoc.UserInfoEndpoint, nil)
if err != nil {
return nil, err
}
if accessToken != "" {
req.Header.Set("Authorization", "Bearer "+accessToken)
}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer r.closeRespFn(resp.Body)
if resp.StatusCode != http.StatusOK {
// uncomment this for debugging when needed.
// reqBytes, _ := httputil.DumpRequest(req, false)
// fmt.Println(string(reqBytes))
// respBytes, _ := httputil.DumpResponse(resp, true)
// fmt.Println(string(respBytes))
return nil, errors.New(resp.Status)
}
dec := json.NewDecoder(resp.Body)
run gofumpt cleanup across code-base (#14015)
2022-01-02 12:15:06 -05:00
claims := map[string]interface{}{}
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
if err = dec.Decode(&claims); err != nil {
// uncomment this for debugging when needed.
// reqBytes, _ := httputil.DumpRequest(req, false)
// fmt.Println(string(reqBytes))
// respBytes, _ := httputil.DumpResponse(resp, true)
// fmt.Println(string(respBytes))
return nil, err
}
return claims, nil
}
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
// LookupUser lookup userid for the provider
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
func (r Config) LookupUser(userid string) (provider.User, error) {
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
if r.provider != nil {
user, err := r.provider.LookupUser(userid)
if err != nil && err != provider.ErrAccessTokenExpired {
return user, err
}
if err == provider.ErrAccessTokenExpired {
if err = r.provider.LoginWithClientID(r.ClientID, r.ClientSecret); err != nil {
return user, err
}
user, err = r.provider.LookupUser(userid)
}
return user, err
}
// Without any specific logic for a provider, all accounts
// are always enabled.
return provider.User{ID: userid, Enabled: true}, nil
}
const (
keyCloakVendor = "keycloak"
)
// InitializeProvider initializes if any additional vendor specific
// information was provided, initialization will return an error
// initial login fails.
fix: openid config provider not initialized correctly (#14399) Up until now `InitializeProvider` method of `Config` struct was implemented on a value receiver which is why changes on `provider` field where never reflected to method callers. In order to fix this issue, the method was implemented on a pointer receiver.
2022-02-24 02:42:37 -05:00
func (r *Config) InitializeProvider(kvs config.KVS) error {
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
vendor := env.Get(EnvIdentityOpenIDVendor, kvs.Get(Vendor))
if vendor == "" {
return nil
}
switch vendor {
case keyCloakVendor:
adminURL := env.Get(EnvIdentityOpenIDKeyCloakAdminURL, kvs.Get(KeyCloakAdminURL))
realm := env.Get(EnvIdentityOpenIDKeyCloakRealm, kvs.Get(KeyCloakRealm))
return r.InitializeKeycloakProvider(adminURL, realm)
default:
return fmt.Errorf("Unsupport vendor %s", keyCloakVendor)
}
}
// ProviderEnabled returns true if any vendor specific provider is enabled.
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
func (r Config) ProviderEnabled() bool {
return r.Enabled && r.provider != nil
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
}
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
// GetRoleInfo - returns role ARN and policy if present, otherwise returns false
// boolean.
func (r Config) GetRoleInfo() (arn.ARN, string, bool) {
return r.roleArn, r.RolePolicy, r.RolePolicy != ""
}
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
// InitializeKeycloakProvider - initializes keycloak provider
func (r *Config) InitializeKeycloakProvider(adminURL, realm string) error {
var err error
r.provider, err = provider.KeyCloak(
provider.WithAdminURL(adminURL),
provider.WithOpenIDConfig(provider.DiscoveryDoc(r.DiscoveryDoc)),
provider.WithTransport(r.transport),
provider.WithRealm(realm),
)
return err
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
// PopulatePublicKey - populates a new publickey from the JWKS URL.
func (r *Config) PopulatePublicKey() error {
if r.JWKS.URL == nil || r.JWKS.URL.String() == "" {
return nil
}
transport := http.DefaultTransport
if r.transport != nil {
transport = r.transport
}
client := &http.Client{
Transport: transport,
}
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
r.Lock()
defer r.Unlock()
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
resp, err := client.Get(r.JWKS.URL.String())
if err != nil {
return err
}
defer r.closeRespFn(resp.Body)
if resp.StatusCode != http.StatusOK {
return errors.New(resp.Status)
}
var jwk JWKS
if err = json.NewDecoder(resp.Body).Decode(&jwk); err != nil {
return err
}
for _, key := range jwk.Keys {
r.publicKeys[key.Kid], err = key.DecodePublicKey()
if err != nil {
return err
}
}
return nil
}
// UnmarshalJSON - decodes JSON data.
func (r *Config) UnmarshalJSON(data []byte) error {
// subtype to avoid recursive call to UnmarshalJSON()
type subConfig Config
var sr subConfig
if err := json.Unmarshal(data, &sr); err != nil {
return err
}
ar := Config(sr)
if ar.JWKS.URL == nil || ar.JWKS.URL.String() == "" {
*r = ar
return nil
}
*r = ar
return nil
}
// GetDefaultExpiration - returns the expiration seconds expected.
func GetDefaultExpiration(dsecs string) (time.Duration, error) {
defaultExpiryDuration := time.Duration(60) * time.Minute // Defaults to 1hr.
if dsecs != "" {
expirySecs, err := strconv.ParseInt(dsecs, 10, 64)
if err != nil {
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
return 0, auth.ErrInvalidDuration
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
Add client_id support for OpenID (#8579) - One click OpenID authorization on Login page - Add client_id help, config keys etc Thanks to @egorkaru @ihostage for the original work and testing.
2019-11-30 00:37:42 -05:00
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
// The duration, in seconds, of the role session.
// The value can range from 900 seconds (15 minutes)
feat: increase allowed maximum STS expiration timeout to 365 days (#12704)
2021-07-14 03:08:22 -04:00
// up to 365 days.
if expirySecs < 900 || expirySecs > 31536000 {
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
return 0, auth.ErrInvalidDuration
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
defaultExpiryDuration = time.Duration(expirySecs) * time.Second
}
return defaultExpiryDuration, nil
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error {
expStr := claims["exp"]
if expStr == "" {
return ErrTokenExpired
}
// No custom duration requested, the claims can be used as is.
if dsecs == "" {
return nil
}
expAt, err := auth.ExpToInt64(expStr)
if err != nil {
return err
}
defaultExpiryDuration, err := GetDefaultExpiration(dsecs)
if err != nil {
return err
}
// Verify if JWT expiry is lesser than default expiry duration,
// if that is the case then set the default expiration to be
// from the JWT expiry claim.
if time.Unix(expAt, 0).UTC().Sub(time.Now().UTC()) < defaultExpiryDuration {
defaultExpiryDuration = time.Unix(expAt, 0).UTC().Sub(time.Now().UTC())
} // else honor the specified expiry duration.
claim exp should be integer (#13582) claim exp can be - float64 - json.Number As per OIDC spec https://openid.net/specs/openid-connect-core-1_0.html#IDToken Avoid using strings since the upstream library only supports these two types now.
2021-11-04 15:03:43 -04:00
claims["exp"] = time.Now().UTC().Add(defaultExpiryDuration).Unix() // update with new expiry.
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
return nil
}
rename all access token to id_tokens
2021-07-28 01:38:12 -04:00
// Validate - validates the id_token.
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
func (r *Config) Validate(token, accessToken, dsecs string) (map[string]interface{}, error) {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
jp := new(jwtgo.Parser)
Add SHA-3 support (#9308)
2020-04-10 17:59:52 -04:00
jp.ValidMethods = []string{
"RS256", "RS384", "RS512", "ES256", "ES384", "ES512",
"RS3256", "RS3384", "RS3512", "ES3256", "ES3384", "ES3512",
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
keyFuncCallback := func(jwtToken *jwtgo.Token) (interface{}, error) {
kid, ok := jwtToken.Header["kid"].(string)
if !ok {
return nil, fmt.Errorf("Invalid kid value %v", jwtToken.Header["kid"])
}
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
r.RLock()
defer r.RUnlock()
return r.publicKeys[kid], nil
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
var claims jwtgo.MapClaims
jwtToken, err := jp.ParseWithClaims(token, &claims, keyFuncCallback)
if err != nil {
fix: referesh JWKS public keys upon failure (#10368) fixes #10359
2020-08-28 11:15:12 -04:00
// Re-populate the public key in-case the JWKS
// pubkeys are refreshed
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
if err = r.PopulatePublicKey(); err != nil {
fix: referesh JWKS public keys upon failure (#10368) fixes #10359
2020-08-28 11:15:12 -04:00
return nil, err
}
jwtToken, err = jwtgo.ParseWithClaims(token, &claims, keyFuncCallback)
if err != nil {
return nil, err
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
if !jwtToken.Valid {
return nil, ErrTokenExpired
}
Honor DurationSeconds properly for WebIdentity (#8581) Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2019-11-29 08:27:54 -05:00
if err = updateClaimsExpiry(dsecs, claims); err != nil {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
return nil, err
}
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
// If claim user info is enabled, get claims from userInfo
// and overwrite them with the claims from JWT.
if r.ClaimUserinfo {
if accessToken == "" {
return nil, errors.New("access_token is mandatory if user_info claim is enabled")
}
uclaims, err := r.UserInfo(accessToken)
if err != nil {
return nil, err
}
for k, v := range uclaims {
if _, ok := claims[k]; !ok { // only add to claims not update it.
claims[k] = v
}
}
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
return claims, nil
}
// ID returns the provider name and authentication type.
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
func (Config) ID() ID {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
return "jwt"
}
Add internal IDP and OIDC users support for site-replication (#14041) - This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2022-01-06 18:52:43 -05:00
// GetSettings - fetches OIDC settings for site-replication related validation.
// NOTE that region must be populated by caller as this package does not know.
func (r *Config) GetSettings() madmin.OpenIDSettings {
res := madmin.OpenIDSettings{}
if !r.Enabled {
return res
}
hashedSecret := ""
{
h := sha256.New()
h.Write([]byte(r.ClientSecret))
bs := h.Sum(nil)
hashedSecret = base64.RawURLEncoding.EncodeToString(bs)
}
if r.RolePolicy != "" {
res.Roles = make(map[string]madmin.OpenIDProviderSettings)
res.Roles[r.roleArn.String()] = madmin.OpenIDProviderSettings{
ClaimUserinfoEnabled: r.ClaimUserinfo,
RolePolicy: r.RolePolicy,
ClientID: r.ClientID,
HashedClientSecret: hashedSecret,
}
} else {
res.ClaimProvider = madmin.OpenIDProviderSettings{
ClaimName: r.ClaimName,
ClaimUserinfoEnabled: r.ClaimUserinfo,
ClientID: r.ClientID,
HashedClientSecret: hashedSecret,
}
}
return res
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
// OpenID keys and envs.
const (
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
JwksURL = "jwks_url"
ConfigURL = "config_url"
ClaimName = "claim_name"
ClaimUserinfo = "claim_userinfo"
ClaimPrefix = "claim_prefix"
ClientID = "client_id"
ClientSecret = "client_secret"
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
RolePolicy = "role_policy"
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2
2021-11-16 21:40:39 -05:00
Vendor = "vendor"
Scopes = "scopes"
RedirectURI = "redirect_uri"
RedirectURIDynamic = "redirect_uri_dynamic"
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
// Vendor specific ENV only enabled if the Vendor matches == "vendor"
KeyCloakRealm = "keycloak_realm"
KeyCloakAdminURL = "keycloak_admin_url"
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2
2021-11-16 21:40:39 -05:00
EnvIdentityOpenIDVendor = "MINIO_IDENTITY_OPENID_VENDOR"
EnvIdentityOpenIDClientID = "MINIO_IDENTITY_OPENID_CLIENT_ID"
EnvIdentityOpenIDClientSecret = "MINIO_IDENTITY_OPENID_CLIENT_SECRET"
EnvIdentityOpenIDURL = "MINIO_IDENTITY_OPENID_CONFIG_URL"
EnvIdentityOpenIDClaimName = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
EnvIdentityOpenIDClaimUserInfo = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO"
EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
EnvIdentityOpenIDRolePolicy = "MINIO_IDENTITY_OPENID_ROLE_POLICY"
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2
2021-11-16 21:40:39 -05:00
EnvIdentityOpenIDRedirectURI = "MINIO_IDENTITY_OPENID_REDIRECT_URI"
EnvIdentityOpenIDRedirectURIDynamic = "MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC"
EnvIdentityOpenIDScopes = "MINIO_IDENTITY_OPENID_SCOPES"
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
// Vendor specific ENVs only enabled if the Vendor matches == "vendor"
EnvIdentityOpenIDKeyCloakRealm = "MINIO_IDENTITY_OPENID_KEYCLOAK_REALM"
EnvIdentityOpenIDKeyCloakAdminURL = "MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL"
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
)
// DiscoveryDoc - parses the output from openid-configuration
// for example https://accounts.google.com/.well-known/openid-configuration
type DiscoveryDoc struct {
Issuer string `json:"issuer,omitempty"`
AuthEndpoint string `json:"authorization_endpoint,omitempty"`
TokenEndpoint string `json:"token_endpoint,omitempty"`
UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`
RevocationEndpoint string `json:"revocation_endpoint,omitempty"`
JwksURI string `json:"jwks_uri,omitempty"`
ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
ScopesSupported []string `json:"scopes_supported,omitempty"`
TokenEndpointAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"`
ClaimsSupported []string `json:"claims_supported,omitempty"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"`
}
func parseDiscoveryDoc(u *xnet.URL, transport *http.Transport, closeRespFn func(io.ReadCloser)) (DiscoveryDoc, error) {
d := DiscoveryDoc{}
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
if err != nil {
return d, err
}
clnt := http.Client{
Transport: transport,
}
resp, err := clnt.Do(req)
if err != nil {
return d, err
}
defer closeRespFn(resp.Body)
if resp.StatusCode != http.StatusOK {
return d, err
}
dec := json.NewDecoder(resp.Body)
if err = dec.Decode(&d); err != nil {
return d, err
}
return d, nil
}
// DefaultKVS - default config for OpenID config
var (
DefaultKVS = config.KVS{
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
config.KV{
Repurpose Get/SetConfig as import/export support (#8578)
2019-11-26 13:08:25 -05:00
Key: ConfigURL,
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
Value: "",
},
Add client_id support for OpenID (#8579) - One click OpenID authorization on Login page - Add client_id help, config keys etc Thanks to @egorkaru @ihostage for the original work and testing.
2019-11-30 00:37:42 -05:00
config.KV{
Key: ClientID,
Value: "",
},
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-17 23:27:04 -04:00
config.KV{
Key: ClientSecret,
Value: "",
},
Add custom policy claim name (#8764) In certain organizations policy claim names can be not just 'policy' but also things like 'roles', the value of this field might also be *string* or *[]string* support this as well In this PR we are still not supporting multiple policies per STS account which will require a more comprehensive change.
2020-01-08 20:21:58 -05:00
config.KV{
Key: ClaimName,
Value: iampolicy.PolicyName,
},
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
config.KV{
Key: ClaimUserinfo,
Value: "",
},
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
config.KV{
Key: RolePolicy,
Value: "",
},
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
config.KV{
Repurpose Get/SetConfig as import/export support (#8578)
2019-11-26 13:08:25 -05:00
Key: ClaimPrefix,
Order all keys in config (#8541) New changes - return default values when sub-sys is not configured. - state is hidden parameter now - remove worm mode to be saved in config
2019-11-20 18:10:24 -05:00
Value: "",
},
add support for customizing redirect_uri for IDP (#12607)
2021-06-30 19:08:20 -04:00
config.KV{
Key: RedirectURI,
Value: "",
},
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2
2021-11-16 21:40:39 -05:00
config.KV{
Key: RedirectURIDynamic,
Value: "off",
},
fix: support client customized scopes for OpenID (#9880) Fixes #9238
2020-06-22 15:08:50 -04:00
config.KV{
Key: Scopes,
Value: "",
},
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}
)
fix: remove deprecated jwks_url from config KV (#13477)
2021-10-20 14:31:09 -04:00
// Enabled returns if configURL is enabled.
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-04 18:32:37 -05:00
func Enabled(kvs config.KVS) bool {
fix: remove deprecated jwks_url from config KV (#13477)
2021-10-20 14:31:09 -04:00
return kvs.Get(ConfigURL) != ""
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-04 18:32:37 -05:00
}
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
// LookupConfig lookup jwks from config, override with any ENVs.
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser), serverRegion string) (c Config, err error) {
fix: remove deprecated jwks_url from config KV (#13477)
2021-10-20 14:31:09 -04:00
// remove this since we have removed this already.
kvs.Delete(JwksURL)
Fix review comments and new changes in config (#8515) - Migrate and save only settings which are enabled - Rename logger_http to logger_webhook and logger_http_audit to audit_webhook - No more pretty printing comments, comment is a key=value pair now. - Avoid quotes on values which do not have space in them - `state="on"` is implicit for all SetConfigKV unless specified explicitly as `state="off"` - Disabled IAM users should be disabled always
2019-11-13 20:38:05 -05:00
if err = config.CheckValidKeys(config.IdentityOpenIDSubSys, kvs, DefaultKVS); err != nil {
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
return c, err
}
fix loading config from openid config_url (#8503)
2019-11-11 12:31:46 -05:00
c = Config{
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2
2021-11-16 21:40:39 -05:00
RWMutex: &sync.RWMutex{},
ClaimName: env.Get(EnvIdentityOpenIDClaimName, kvs.Get(ClaimName)),
ClaimUserinfo: env.Get(EnvIdentityOpenIDClaimUserInfo, kvs.Get(ClaimUserinfo)) == config.EnableOn,
ClaimPrefix: env.Get(EnvIdentityOpenIDClaimPrefix, kvs.Get(ClaimPrefix)),
RedirectURI: env.Get(EnvIdentityOpenIDRedirectURI, kvs.Get(RedirectURI)),
RedirectURIDynamic: env.Get(EnvIdentityOpenIDRedirectURIDynamic, kvs.Get(RedirectURIDynamic)) == config.EnableOn,
publicKeys: make(map[string]crypto.PublicKey),
ClientID: env.Get(EnvIdentityOpenIDClientID, kvs.Get(ClientID)),
ClientSecret: env.Get(EnvIdentityOpenIDClientSecret, kvs.Get(ClientSecret)),
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
RolePolicy: env.Get(EnvIdentityOpenIDRolePolicy, kvs.Get(RolePolicy)),
support dynamic redirect_uri based on incoming 'host' header (#13666) This feature is useful in situations when console is exposed over multiple intranent or internet entities when users are connecting over local IP v/s going through load balancer. Related console work was merged here https://github.com/minio/console/commit/373bfbfe3f16e6f7d376fb9765a4610d76cf15a2
2021-11-16 21:40:39 -05:00
transport: transport,
closeRespFn: closeRespFn,
fix loading config from openid config_url (#8503)
2019-11-11 12:31:46 -05:00
}
Fix review comments and new changes in config (#8515) - Migrate and save only settings which are enabled - Rename logger_http to logger_webhook and logger_http_audit to audit_webhook - No more pretty printing comments, comment is a key=value pair now. - Avoid quotes on values which do not have space in them - `state="on"` is implicit for all SetConfigKV unless specified explicitly as `state="off"` - Disabled IAM users should be disabled always
2019-11-13 20:38:05 -05:00
configURL := env.Get(EnvIdentityOpenIDURL, kvs.Get(ConfigURL))
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
var configURLDomain string
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if configURL != "" {
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 02:39:09 -04:00
c.URL, err = xnet.ParseHTTPURL(configURL)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
if err != nil {
return c, err
}
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
configURLDomain, _, _ = net.SplitHostPort(c.URL.Host)
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
c.DiscoveryDoc, err = parseDiscoveryDoc(c.URL, transport, closeRespFn)
if err != nil {
return c, err
}
}
fix: set appropriate defaults when new keys added (#8795) A new key was added in identity_openid recently required explicitly for client to set the optional value without that it would be empty, handle this appropriately. Fixes #8787
2020-01-10 19:57:18 -05:00
add userinfo support for OpenID (#12469) Some identity providers like GitLab do not provide information about group membership as part of the identity token claims. They only expose it via OIDC compatible '/oauth/userinfo' endpoint, as described in the OpenID Connect 1.0 sepcification. But this of course requires application to make sure to add additional accessToken, since idToken cannot be re-used to perform the same 'userinfo' call. This is why this is specialized requirement. Gitlab seems to be the only OpenID vendor that requires this support for the time being. fixes #12367
2021-09-13 19:22:14 -04:00
if c.ClaimUserinfo && configURL == "" {
return c, errors.New("please specify config_url to enable fetching claims from UserInfo endpoint")
}
fix: support client customized scopes for OpenID (#9880) Fixes #9238
2020-06-22 15:08:50 -04:00
if scopeList := env.Get(EnvIdentityOpenIDScopes, kvs.Get(Scopes)); scopeList != "" {
var scopes []string
for _, scope := range strings.Split(scopeList, ",") {
scope = strings.TrimSpace(scope)
if scope == "" {
return c, config.Errorf("empty scope value is not allowed '%s', please refer to our documentation", scopeList)
}
scopes = append(scopes, scope)
}
// Replace the discovery document scopes by client customized scopes.
c.DiscoveryDoc.ScopesSupported = scopes
}
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
// Check if claim name is the non-default value and role policy is set.
if c.ClaimName != iampolicy.PolicyName && c.RolePolicy != "" {
// In the unlikely event that the user specifies
// `iampolicy.PolicyName` as the claim name explicitly and sets
// a role policy, this check is thwarted, but we will be using
// the role policy anyway.
return c, config.Errorf("Role Policy and Claim Name cannot both be set.")
}
if c.RolePolicy != "" {
// RolePolicy is valided by IAM System during its
// initialization.
// Generate role ARN as combination of provider domain and
// prefix of client ID.
domain := configURLDomain
if domain == "" {
// Attempt to parse the JWKs URI.
domain, _, _ = net.SplitHostPort(c.JWKS.URL.Host)
if domain == "" {
return c, config.Errorf("unable to generate a domain from the OpenID config.")
}
}
Ensure that role ARNs don't collide (#13817) This is to prepare for multiple providers enhancement.
2021-12-03 16:15:56 -05:00
if c.ClientID == "" {
return c, config.Errorf("client ID must not be empty")
}
// We set the resource ID of the role arn as a hash of client
// ID, so we can get a short roleARN that stays the same on
// restart.
var resourceID string
{
h := sha1.New()
h.Write([]byte(c.ClientID))
bs := h.Sum(nil)
resourceID = base64.RawURLEncoding.EncodeToString(bs)
Add role ARN support for OIDC identity provider (#13651) - Allows setting a role policy parameter when configuring OIDC provider - When role policy is set, the server prints a role ARN usable in STS API requests - The given role policy is applied to STS API requests when the roleARN parameter is provided. - Service accounts for role policy are also possible and work as expected.
2021-11-26 22:22:40 -05:00
}
c.roleArn, err = arn.NewIAMRoleARN(resourceID, serverRegion)
if err != nil {
return c, config.Errorf("unable to generate ARN from the OpenID config: %v", err)
}
fix: set appropriate defaults when new keys added (#8795) A new key was added in identity_openid recently required explicitly for client to set the optional value without that it would be empty, handle this appropriately. Fixes #8787
2020-01-10 19:57:18 -05:00
}
fix: remove deprecated jwks_url from config KV (#13477)
2021-10-20 14:31:09 -04:00
jwksURL := c.DiscoveryDoc.JwksURI
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 03:04:39 -04:00
if jwksURL == "" {
return c, nil
}
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 02:39:09 -04:00
c.JWKS.URL, err = xnet.ParseHTTPURL(jwksURL)
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 03:04:39 -04:00
if err != nil {
return c, err
}
Add custom policy claim name (#8764) In certain organizations policy claim names can be not just 'policy' but also things like 'roles', the value of this field might also be *string* or *[]string* support this as well In this PR we are still not supporting multiple policies per STS account which will require a more comprehensive change.
2020-01-08 20:21:58 -05:00
Add etcd part of config support, add noColor/json support (#8439) - Add color/json mode support for get/help commands - Support ENV help for all sub-systems - Add support for etcd as part of config
2019-10-30 03:04:39 -04:00
if err = c.PopulatePublicKey(); err != nil {
return c, err
}
Add custom policy claim name (#8764) In certain organizations policy claim names can be not just 'policy' but also things like 'roles', the value of this field might also be *string* or *[]string* support this as well In this PR we are still not supporting multiple policies per STS account which will require a more comprehensive change.
2020-01-08 20:21:58 -05:00
feat: Add support to poll users on external SSO (#12592) Additional support for vendor-specific admin API integrations for OpenID, to ensure validity of credentials on MinIO. Every 5minutes check for validity of credentials on MinIO with vendor specific IDP.
2021-07-09 14:17:21 -04:00
if err = c.InitializeProvider(kvs); err != nil {
return c, err
}
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
c.Enabled = true
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
fix crash when config is not properly initialized (#12714) fixes #12709
2021-07-14 21:27:25 -04:00
return c, nil
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 01:59:13 -04:00
}