mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
support dynamic redirect_uri based on incoming 'host' header (#13666)
This feature is useful in situations when console is exposed
over multiple intranent or internet entities when users are
connecting over local IP v/s going through load balancer.
Related console work was merged here
373bfbfe3f
This commit is contained in:
parent
367cb48096
commit
8378bc9958
@ -174,7 +174,12 @@ func minioConfigToConsoleFeatures() {
|
|||||||
os.Setenv("CONSOLE_IDP_HMAC_PASSPHRASE", globalOpenIDConfig.ClientID)
|
os.Setenv("CONSOLE_IDP_HMAC_PASSPHRASE", globalOpenIDConfig.ClientID)
|
||||||
os.Setenv("CONSOLE_IDP_SCOPES", strings.Join(globalOpenIDConfig.DiscoveryDoc.ScopesSupported, ","))
|
os.Setenv("CONSOLE_IDP_SCOPES", strings.Join(globalOpenIDConfig.DiscoveryDoc.ScopesSupported, ","))
|
||||||
if globalOpenIDConfig.ClaimUserinfo {
|
if globalOpenIDConfig.ClaimUserinfo {
|
||||||
os.Setenv("CONSOLE_IDP_USERINFO", "on")
|
os.Setenv("CONSOLE_IDP_USERINFO", config.EnableOn)
|
||||||
|
}
|
||||||
|
if globalOpenIDConfig.RedirectURIDynamic {
|
||||||
|
// Enable dynamic redirect-uri's based on incoming 'host' header,
|
||||||
|
// Overrides any other callback URL.
|
||||||
|
os.Setenv("CONSOLE_IDP_CALLBACK_DYNAMIC", config.EnableOn)
|
||||||
}
|
}
|
||||||
if globalOpenIDConfig.RedirectURI != "" {
|
if globalOpenIDConfig.RedirectURI != "" {
|
||||||
os.Setenv("CONSOLE_IDP_CALLBACK", globalOpenIDConfig.RedirectURI)
|
os.Setenv("CONSOLE_IDP_CALLBACK", globalOpenIDConfig.RedirectURI)
|
||||||
|
4
go.mod
4
go.mod
@ -44,14 +44,14 @@ require (
|
|||||||
github.com/lib/pq v1.9.0
|
github.com/lib/pq v1.9.0
|
||||||
github.com/miekg/dns v1.1.43
|
github.com/miekg/dns v1.1.43
|
||||||
github.com/minio/cli v1.22.0
|
github.com/minio/cli v1.22.0
|
||||||
github.com/minio/console v0.12.3
|
github.com/minio/console v0.12.4-0.20211116014825-f5234d283099
|
||||||
github.com/minio/csvparser v1.0.0
|
github.com/minio/csvparser v1.0.0
|
||||||
github.com/minio/highwayhash v1.0.2
|
github.com/minio/highwayhash v1.0.2
|
||||||
github.com/minio/kes v0.14.0
|
github.com/minio/kes v0.14.0
|
||||||
github.com/minio/madmin-go v1.1.12
|
github.com/minio/madmin-go v1.1.12
|
||||||
github.com/minio/minio-go/v7 v7.0.15
|
github.com/minio/minio-go/v7 v7.0.15
|
||||||
github.com/minio/parquet-go v1.1.0
|
github.com/minio/parquet-go v1.1.0
|
||||||
github.com/minio/pkg v1.1.6
|
github.com/minio/pkg v1.1.7
|
||||||
github.com/minio/selfupdate v0.3.1
|
github.com/minio/selfupdate v0.3.1
|
||||||
github.com/minio/sha256-simd v1.0.0
|
github.com/minio/sha256-simd v1.0.0
|
||||||
github.com/minio/simdjson-go v0.2.1
|
github.com/minio/simdjson-go v0.2.1
|
||||||
|
9
go.sum
9
go.sum
@ -1069,8 +1069,8 @@ github.com/minio/cli v1.22.0 h1:VTQm7lmXm3quxO917X3p+el1l0Ca5X3S4PM2ruUYO68=
|
|||||||
github.com/minio/cli v1.22.0/go.mod h1:bYxnK0uS629N3Bq+AOZZ+6lwF77Sodk4+UL9vNuXhOY=
|
github.com/minio/cli v1.22.0/go.mod h1:bYxnK0uS629N3Bq+AOZZ+6lwF77Sodk4+UL9vNuXhOY=
|
||||||
github.com/minio/colorjson v1.0.1 h1:+hvfP8C1iMB95AT+ZFDRE+Knn9QPd9lg0CRJY9DRpos=
|
github.com/minio/colorjson v1.0.1 h1:+hvfP8C1iMB95AT+ZFDRE+Knn9QPd9lg0CRJY9DRpos=
|
||||||
github.com/minio/colorjson v1.0.1/go.mod h1:oPM3zQQY8Gz9NGtgvuBEjQ+gPZLKAGc7T+kjMlwtOgs=
|
github.com/minio/colorjson v1.0.1/go.mod h1:oPM3zQQY8Gz9NGtgvuBEjQ+gPZLKAGc7T+kjMlwtOgs=
|
||||||
github.com/minio/console v0.12.3 h1:YJbe0FVSrvZKu26a3/1qYUvznH1pqc1nWlOabGAXUPQ=
|
github.com/minio/console v0.12.4-0.20211116014825-f5234d283099 h1:9Sh/Su9RZDUO97lGEh3glw5aVyhvQY7EZGVhGHoy7lI=
|
||||||
github.com/minio/console v0.12.3/go.mod h1:tPtNL+4dcb/2sJkNNNusGi4mSnfsgzQzRUZa5QD7dTo=
|
github.com/minio/console v0.12.4-0.20211116014825-f5234d283099/go.mod h1:byf3D60Fe3/5oVrypMCXd/CkJcADc3b4C/a8Sj7AgNE=
|
||||||
github.com/minio/csvparser v1.0.0 h1:xJEHcYK8ZAjeW4hNV9Zu30u+/2o4UyPnYgyjWp8b7ZU=
|
github.com/minio/csvparser v1.0.0 h1:xJEHcYK8ZAjeW4hNV9Zu30u+/2o4UyPnYgyjWp8b7ZU=
|
||||||
github.com/minio/csvparser v1.0.0/go.mod h1:lKXskSLzPgC5WQyzP7maKH7Sl1cqvANXo9YCto8zbtM=
|
github.com/minio/csvparser v1.0.0/go.mod h1:lKXskSLzPgC5WQyzP7maKH7Sl1cqvANXo9YCto8zbtM=
|
||||||
github.com/minio/direct-csi v1.3.5-0.20210601185811-f7776f7961bf h1:wylCc/PdvdTIqYqVNEU9LJAZBanvfGY1TwTnjM3zQaA=
|
github.com/minio/direct-csi v1.3.5-0.20210601185811-f7776f7961bf h1:wylCc/PdvdTIqYqVNEU9LJAZBanvfGY1TwTnjM3zQaA=
|
||||||
@ -1107,9 +1107,8 @@ github.com/minio/pkg v1.0.3/go.mod h1:obU54TZ9QlMv0TRaDgQ/JTzf11ZSXxnSfLrm4tMtBP
|
|||||||
github.com/minio/pkg v1.0.4/go.mod h1:obU54TZ9QlMv0TRaDgQ/JTzf11ZSXxnSfLrm4tMtBP8=
|
github.com/minio/pkg v1.0.4/go.mod h1:obU54TZ9QlMv0TRaDgQ/JTzf11ZSXxnSfLrm4tMtBP8=
|
||||||
github.com/minio/pkg v1.0.11/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
|
github.com/minio/pkg v1.0.11/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
|
||||||
github.com/minio/pkg v1.1.3/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
|
github.com/minio/pkg v1.1.3/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
|
||||||
github.com/minio/pkg v1.1.5/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
|
github.com/minio/pkg v1.1.7 h1:v+2/ol/h1Sl0iJdOFN1Srk4CzksMIDsfugXCZYb5L7Y=
|
||||||
github.com/minio/pkg v1.1.6 h1:rCVrsniDzb031SRwSXtxxJQPntItQR02IXYgM6CirOw=
|
github.com/minio/pkg v1.1.7/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
|
||||||
github.com/minio/pkg v1.1.6/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14=
|
|
||||||
github.com/minio/selfupdate v0.3.1 h1:BWEFSNnrZVMUWXbXIgLDNDjbejkmpAmZvy/nCz1HlEs=
|
github.com/minio/selfupdate v0.3.1 h1:BWEFSNnrZVMUWXbXIgLDNDjbejkmpAmZvy/nCz1HlEs=
|
||||||
github.com/minio/selfupdate v0.3.1/go.mod h1:b8ThJzzH7u2MkF6PcIra7KaXO9Khf6alWPvMSyTDCFM=
|
github.com/minio/selfupdate v0.3.1/go.mod h1:b8ThJzzH7u2MkF6PcIra7KaXO9Khf6alWPvMSyTDCFM=
|
||||||
github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
|
github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
|
||||||
|
@ -50,18 +50,6 @@ var (
|
|||||||
Optional: true,
|
Optional: true,
|
||||||
Type: "on|off",
|
Type: "on|off",
|
||||||
},
|
},
|
||||||
config.HelpKV{
|
|
||||||
Key: ClaimPrefix,
|
|
||||||
Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`,
|
|
||||||
Optional: true,
|
|
||||||
Type: "string",
|
|
||||||
},
|
|
||||||
config.HelpKV{
|
|
||||||
Key: RedirectURI,
|
|
||||||
Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`,
|
|
||||||
Optional: true,
|
|
||||||
Type: "string",
|
|
||||||
},
|
|
||||||
config.HelpKV{
|
config.HelpKV{
|
||||||
Key: Scopes,
|
Key: Scopes,
|
||||||
Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
|
Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
|
||||||
@ -86,6 +74,24 @@ var (
|
|||||||
Optional: true,
|
Optional: true,
|
||||||
Type: "string",
|
Type: "string",
|
||||||
},
|
},
|
||||||
|
config.HelpKV{
|
||||||
|
Key: RedirectURIDynamic,
|
||||||
|
Description: `Enable 'Host' header based dynamic redirect URI`,
|
||||||
|
Optional: true,
|
||||||
|
Type: "on|off",
|
||||||
|
},
|
||||||
|
config.HelpKV{
|
||||||
|
Key: ClaimPrefix,
|
||||||
|
Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`,
|
||||||
|
Optional: true,
|
||||||
|
Type: "string",
|
||||||
|
},
|
||||||
|
config.HelpKV{
|
||||||
|
Key: RedirectURI,
|
||||||
|
Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`,
|
||||||
|
Optional: true,
|
||||||
|
Type: "string",
|
||||||
|
},
|
||||||
config.HelpKV{
|
config.HelpKV{
|
||||||
Key: config.Comment,
|
Key: config.Comment,
|
||||||
Description: config.DefaultComment,
|
Description: config.DefaultComment,
|
||||||
|
@ -47,14 +47,15 @@ type Config struct {
|
|||||||
JWKS struct {
|
JWKS struct {
|
||||||
URL *xnet.URL `json:"url"`
|
URL *xnet.URL `json:"url"`
|
||||||
} `json:"jwks"`
|
} `json:"jwks"`
|
||||||
URL *xnet.URL `json:"url,omitempty"`
|
URL *xnet.URL `json:"url,omitempty"`
|
||||||
ClaimPrefix string `json:"claimPrefix,omitempty"`
|
ClaimPrefix string `json:"claimPrefix,omitempty"`
|
||||||
ClaimName string `json:"claimName,omitempty"`
|
ClaimName string `json:"claimName,omitempty"`
|
||||||
ClaimUserinfo bool `json:"claimUserInfo,omitempty"`
|
ClaimUserinfo bool `json:"claimUserInfo,omitempty"`
|
||||||
RedirectURI string `json:"redirectURI,omitempty"`
|
RedirectURI string `json:"redirectURI,omitempty"`
|
||||||
DiscoveryDoc DiscoveryDoc
|
RedirectURIDynamic bool `json:"redirectURIDynamic"`
|
||||||
ClientID string
|
DiscoveryDoc DiscoveryDoc
|
||||||
ClientSecret string
|
ClientID string
|
||||||
|
ClientSecret string
|
||||||
|
|
||||||
provider provider.Provider
|
provider provider.Provider
|
||||||
publicKeys map[string]crypto.PublicKey
|
publicKeys map[string]crypto.PublicKey
|
||||||
@ -366,23 +367,25 @@ const (
|
|||||||
ClientID = "client_id"
|
ClientID = "client_id"
|
||||||
ClientSecret = "client_secret"
|
ClientSecret = "client_secret"
|
||||||
|
|
||||||
Vendor = "vendor"
|
Vendor = "vendor"
|
||||||
Scopes = "scopes"
|
Scopes = "scopes"
|
||||||
RedirectURI = "redirect_uri"
|
RedirectURI = "redirect_uri"
|
||||||
|
RedirectURIDynamic = "redirect_uri_dynamic"
|
||||||
|
|
||||||
// Vendor specific ENV only enabled if the Vendor matches == "vendor"
|
// Vendor specific ENV only enabled if the Vendor matches == "vendor"
|
||||||
KeyCloakRealm = "keycloak_realm"
|
KeyCloakRealm = "keycloak_realm"
|
||||||
KeyCloakAdminURL = "keycloak_admin_url"
|
KeyCloakAdminURL = "keycloak_admin_url"
|
||||||
|
|
||||||
EnvIdentityOpenIDVendor = "MINIO_IDENTITY_OPENID_VENDOR"
|
EnvIdentityOpenIDVendor = "MINIO_IDENTITY_OPENID_VENDOR"
|
||||||
EnvIdentityOpenIDClientID = "MINIO_IDENTITY_OPENID_CLIENT_ID"
|
EnvIdentityOpenIDClientID = "MINIO_IDENTITY_OPENID_CLIENT_ID"
|
||||||
EnvIdentityOpenIDClientSecret = "MINIO_IDENTITY_OPENID_CLIENT_SECRET"
|
EnvIdentityOpenIDClientSecret = "MINIO_IDENTITY_OPENID_CLIENT_SECRET"
|
||||||
EnvIdentityOpenIDURL = "MINIO_IDENTITY_OPENID_CONFIG_URL"
|
EnvIdentityOpenIDURL = "MINIO_IDENTITY_OPENID_CONFIG_URL"
|
||||||
EnvIdentityOpenIDClaimName = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
|
EnvIdentityOpenIDClaimName = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
|
||||||
EnvIdentityOpenIDClaimUserInfo = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO"
|
EnvIdentityOpenIDClaimUserInfo = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO"
|
||||||
EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
|
EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
|
||||||
EnvIdentityOpenIDRedirectURI = "MINIO_IDENTITY_OPENID_REDIRECT_URI"
|
EnvIdentityOpenIDRedirectURI = "MINIO_IDENTITY_OPENID_REDIRECT_URI"
|
||||||
EnvIdentityOpenIDScopes = "MINIO_IDENTITY_OPENID_SCOPES"
|
EnvIdentityOpenIDRedirectURIDynamic = "MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC"
|
||||||
|
EnvIdentityOpenIDScopes = "MINIO_IDENTITY_OPENID_SCOPES"
|
||||||
|
|
||||||
// Vendor specific ENVs only enabled if the Vendor matches == "vendor"
|
// Vendor specific ENVs only enabled if the Vendor matches == "vendor"
|
||||||
EnvIdentityOpenIDKeyCloakRealm = "MINIO_IDENTITY_OPENID_KEYCLOAK_REALM"
|
EnvIdentityOpenIDKeyCloakRealm = "MINIO_IDENTITY_OPENID_KEYCLOAK_REALM"
|
||||||
@ -463,6 +466,10 @@ var (
|
|||||||
Key: RedirectURI,
|
Key: RedirectURI,
|
||||||
Value: "",
|
Value: "",
|
||||||
},
|
},
|
||||||
|
config.KV{
|
||||||
|
Key: RedirectURIDynamic,
|
||||||
|
Value: "off",
|
||||||
|
},
|
||||||
config.KV{
|
config.KV{
|
||||||
Key: Scopes,
|
Key: Scopes,
|
||||||
Value: "",
|
Value: "",
|
||||||
@ -485,16 +492,17 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
|
|||||||
}
|
}
|
||||||
|
|
||||||
c = Config{
|
c = Config{
|
||||||
RWMutex: &sync.RWMutex{},
|
RWMutex: &sync.RWMutex{},
|
||||||
ClaimName: env.Get(EnvIdentityOpenIDClaimName, kvs.Get(ClaimName)),
|
ClaimName: env.Get(EnvIdentityOpenIDClaimName, kvs.Get(ClaimName)),
|
||||||
ClaimUserinfo: env.Get(EnvIdentityOpenIDClaimUserInfo, kvs.Get(ClaimUserinfo)) == config.EnableOn,
|
ClaimUserinfo: env.Get(EnvIdentityOpenIDClaimUserInfo, kvs.Get(ClaimUserinfo)) == config.EnableOn,
|
||||||
ClaimPrefix: env.Get(EnvIdentityOpenIDClaimPrefix, kvs.Get(ClaimPrefix)),
|
ClaimPrefix: env.Get(EnvIdentityOpenIDClaimPrefix, kvs.Get(ClaimPrefix)),
|
||||||
RedirectURI: env.Get(EnvIdentityOpenIDRedirectURI, kvs.Get(RedirectURI)),
|
RedirectURI: env.Get(EnvIdentityOpenIDRedirectURI, kvs.Get(RedirectURI)),
|
||||||
publicKeys: make(map[string]crypto.PublicKey),
|
RedirectURIDynamic: env.Get(EnvIdentityOpenIDRedirectURIDynamic, kvs.Get(RedirectURIDynamic)) == config.EnableOn,
|
||||||
ClientID: env.Get(EnvIdentityOpenIDClientID, kvs.Get(ClientID)),
|
publicKeys: make(map[string]crypto.PublicKey),
|
||||||
ClientSecret: env.Get(EnvIdentityOpenIDClientSecret, kvs.Get(ClientSecret)),
|
ClientID: env.Get(EnvIdentityOpenIDClientID, kvs.Get(ClientID)),
|
||||||
transport: transport,
|
ClientSecret: env.Get(EnvIdentityOpenIDClientSecret, kvs.Get(ClientSecret)),
|
||||||
closeRespFn: closeRespFn,
|
transport: transport,
|
||||||
|
closeRespFn: closeRespFn,
|
||||||
}
|
}
|
||||||
|
|
||||||
configURL := env.Get(EnvIdentityOpenIDURL, kvs.Get(ConfigURL))
|
configURL := env.Get(EnvIdentityOpenIDURL, kvs.Get(ConfigURL))
|
||||||
|
Loading…
Reference in New Issue
Block a user