Add internal IDP and OIDC users support for site-replication (#14041)

- This allows site-replication to be configured when using OpenID or the internal IDentity Provider. - Internal IDP IAM users and groups will now be replicated to all members of the set of replicated sites. - When using OpenID as the external identity provider, STS and service accounts are replicated. - Currently this change dis-allows root service accounts from being replicated (TODO: discuss security implications).
2025-11-07 21:02:58 -05:00 · 2022-01-06 15:52:43 -08:00
parent f68bd37acf
commit 1981fe2072
8 changed files with 219 additions and 43 deletions
--- a/internal/config/identity/openid/jwt.go
+++ b/internal/config/identity/openid/jwt.go
@@ -20,6 +20,7 @@ package openid
 import (
 	"crypto"
 	"crypto/sha1"
+	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -33,6 +34,7 @@ import (
 	"time"

 	jwtgo "github.com/golang-jwt/jwt/v4"
+	"github.com/minio/madmin-go"
 	"github.com/minio/minio/internal/arn"
 	"github.com/minio/minio/internal/auth"
 	"github.com/minio/minio/internal/config"
@@ -369,6 +371,40 @@ func (Config) ID() ID {
 	return "jwt"
 }

+// GetSettings - fetches OIDC settings for site-replication related validation.
+// NOTE that region must be populated by caller as this package does not know.
+func (r *Config) GetSettings() madmin.OpenIDSettings {
+	res := madmin.OpenIDSettings{}
+	if !r.Enabled {
+		return res
+	}
+
+	hashedSecret := ""
+	{
+		h := sha256.New()
+		h.Write([]byte(r.ClientSecret))
+		bs := h.Sum(nil)
+		hashedSecret = base64.RawURLEncoding.EncodeToString(bs)
+	}
+	if r.RolePolicy != "" {
+		res.Roles = make(map[string]madmin.OpenIDProviderSettings)
+		res.Roles[r.roleArn.String()] = madmin.OpenIDProviderSettings{
+			ClaimUserinfoEnabled: r.ClaimUserinfo,
+			RolePolicy:           r.RolePolicy,
+			ClientID:             r.ClientID,
+			HashedClientSecret:   hashedSecret,
+		}
+	} else {
+		res.ClaimProvider = madmin.OpenIDProviderSettings{
+			ClaimName:            r.ClaimName,
+			ClaimUserinfoEnabled: r.ClaimUserinfo,
+			ClientID:             r.ClientID,
+			HashedClientSecret:   hashedSecret,
+		}
+	}
+	return res
+}
+
 // OpenID keys and envs.
 const (
 	JwksURL       = "jwks_url"