Updates the usage documentation of OpenID custom scopes (#9902)

docs/sts/keycloak.md

@@ -57,6 +57,7 @@ Set `identity_openid` config with `config_url`, `client_id` and restart MinIO
 ```
 ~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account"
 ```
+> Note: You can configure the `scopes` parameter to restrict the OpenID scopes requested by minio to the IdP, for example, `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak
 
 Once successfully set restart the MinIO instance.
 ```
@@ -87,6 +88,8 @@ This will open the login page of keycloak, upon successful login, STS credential
 }
 ```
 
+> Note: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.
+
 These credentials can now be used to perform MinIO API operations.
 
 ## 5. Using MinIO Browser

docs/sts/web-identity.go

@@ -30,6 +30,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"golang.org/x/oauth2"
@@ -79,6 +80,7 @@ var (
 	configEndpoint string
 	clientID       string
 	clientSec      string
+	clientScopes   string
 	port           int
 )
 
@@ -131,6 +133,7 @@ func init() {
 		"OpenID discovery document endpoint")
 	flag.StringVar(&clientID, "cid", "", "Client ID")
 	flag.StringVar(&clientSec, "csec", "", "Client Secret")
+	flag.StringVar(&clientScopes, "cscopes", "openid", "Client Scopes")
 	flag.IntVar(&port, "port", 8080, "Port")
 }
 
@@ -148,6 +151,11 @@ func main() {
 		return
 	}
 
+	scopes :=  ddoc.ScopesSupported
+	if clientScopes != "" {
+		scopes = strings.Split(clientScopes, ",");
+	}
+
 	ctx := context.Background()
 
 	config := oauth2.Config{
@@ -158,7 +166,7 @@ func main() {
 			TokenURL: ddoc.TokenEndpoint,
 		},
 		RedirectURL: fmt.Sprintf("http://localhost:%d/oauth2/callback", port),
-		Scopes:      ddoc.ScopesSupported,
+		Scopes:      scopes,
 	}
 
 	state := randomState()

docs/sts/web-identity.md

@@ -95,6 +95,8 @@ export MINIO_ACCESS_KEY=minio
 export MINIO_SECRET_KEY=minio123
 export MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid-configuration
 export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
+# Optional: Allow to specify the requested OpenID scopes (OpenID only requires the `openid` scope)
+#export MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email"
 minio server /mnt/export
 ```