sr: use service account cred for claims check (#19209)

PR #19111 overlaid service account secret with site replicator secret
during token claims check.

Fixes : #19206

cmd/auth-handler.go

@@ -300,19 +300,21 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
 	}
 
 	secret := globalActiveCred.SecretKey
+	var err error
+	if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
+		if cred.ParentUser != globalActiveCred.AccessKey {
+			secret, err = getTokenSigningKey()
+			if err != nil {
+				return nil, toAPIErrorCode(r.Context(), err)
+			}
+		}
+	}
 	if cred.IsServiceAccount() {
 		token = cred.SessionToken
 		secret = cred.SecretKey
 	}
 
 	if token != "" {
-		var err error
-		if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
-			secret, err = getTokenSigningKey()
-			if err != nil {
-				return nil, toAPIErrorCode(r.Context(), err)
-			}
-		}
 		claims, err := getClaimsFromTokenWithSecret(token, secret)
 		if err != nil {
 			return nil, toAPIErrorCode(r.Context(), err)

docs/site-replication/run-multi-site-minio-idp.sh

@@ -164,8 +164,21 @@ if [ $? -ne 0 ]; then
 	exit_1
 fi
 
+./mc admin user svcacct add minio2 minio --access-key testsvc2 --secret-key testsvc123
+if [ $? -ne 0 ]; then
+	echo "adding root svc account testsvc2 failed, exiting.."
+	exit_1
+fi
+
 sleep 10
 
+export MC_HOST_rootsvc=http://testsvc2:testsvc123@localhost:9002
+./mc ls rootsvc
+if [ $? -ne 0 ]; then
+	echo "root service account not inherited root permissions, exiting.."
+	exit_1
+fi
+
 ./mc admin user svcacct info minio1 testsvc
 if [ $? -ne 0 ]; then
 	echo "svc account not mirrored, exiting.."