diff --git a/cmd/sts-datatypes.go b/cmd/sts-datatypes.go index ef80431e8..aeb4517b7 100644 --- a/cmd/sts-datatypes.go +++ b/cmd/sts-datatypes.go @@ -112,7 +112,7 @@ type WebIdentityResult struct { PackedPolicySize int `xml:",omitempty"` // The issuing authority of the web identity token presented. For OpenID Connect - // ID tokens, this contains the value of the iss field. For OAuth 2.0 access tokens, + // ID tokens, this contains the value of the iss field. For OAuth 2.0 id_tokens, // this contains the value of the ProviderId parameter that was passed in the // AssumeRoleWithWebIdentity request. Provider string `xml:",omitempty"` @@ -162,7 +162,7 @@ type ClientGrantsResult struct { PackedPolicySize int `xml:",omitempty"` // The issuing authority of the web identity token presented. For OpenID Connect - // ID tokens, this contains the value of the iss field. For OAuth 2.0 access tokens, + // ID tokens, this contains the value of the iss field. For OAuth 2.0 id_tokens, // this contains the value of the ProviderId parameter that was passed in the // AssumeRoleWithClientGrants request. Provider string `xml:",omitempty"` diff --git a/docs/sts/README.md b/docs/sts/README.md index 493b174b4..f04c958b9 100644 --- a/docs/sts/README.md +++ b/docs/sts/README.md @@ -11,12 +11,11 @@ Following are advantages for using temporary credentials: - Temporary credentials have a limited lifetime, there is no need to rotate them or explicitly revoke them. Expired temporary credentials cannot be reused. ## Identity Federation -|AuthN | Description | -| :---------------------- | ------------------------------------------ | -| [**Client grants**](https://github.com/minio/minio/blob/master/docs/sts/client-grants.md) | Let applications request `client_grants` using any well-known third party identity provider such as KeyCloak, Okta. This is known as the client grants approach to temporary access. Using this approach helps clients keep MinIO credentials to be secured. MinIO STS supports client grants, tested against identity providers such as KeyCloak, Okta. | +| AuthN | Description | +| :---------------------- | ------------------------------------------ | | [**WebIdentity**](https://github.com/minio/minio/blob/master/docs/sts/web-identity.md) | Let users request temporary credentials using any OpenID(OIDC) compatible web identity providers such as KeyCloak, Dex, Facebook, Google etc. | -| [**AssumeRole**](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md) | Let MinIO users request temporary credentials using user access and secret keys. | -| [**AD/LDAP**](https://github.com/minio/minio/blob/master/docs/sts/ldap.md) | Let AD/LDAP users request temporary credentials using AD/LDAP username and password. | +| [**AD/LDAP**](https://github.com/minio/minio/blob/master/docs/sts/ldap.md) | Let AD/LDAP users request temporary credentials using AD/LDAP username and password. | +| [**AssumeRole**](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md) | Let MinIO users request temporary credentials using user access and secret keys. | ### Understanding JWT Claims > NOTE: JWT claims are only meant for WebIdentity and ClientGrants. @@ -24,7 +23,7 @@ Following are advantages for using temporary credentials: > - [**AssumeRole**](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md) > - [**AD/LDAP**](https://github.com/minio/minio/blob/master/docs/sts/ldap.md) -The access token received is a signed JSON Web Token (JWT). Use a JWT decoder to decode the access token to access the payload of the token that includes following JWT claims, `policy` claim is mandatory and should be present as part of your JWT claim. Without this claim the generated credentials will not have access to any resources on the server, using these credentials application would receive 'Access Denied' errors. +The id_token received is a signed JSON Web Token (JWT). Use a JWT decoder to decode the id_token to access the payload of the token that includes following JWT claims, `policy` claim is mandatory and should be present as part of your JWT claim. Without this claim the generated credentials will not have access to any resources on the server, using these credentials application would receive 'Access Denied' errors. | Claim Name | Type | Claim Value | |:----------:|:-------------------------------------------------:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| @@ -65,7 +64,7 @@ minio gateway s3 ``` ### Using WebIdentiy API -On another terminal run `web-identity.go` a sample client application which obtains JWT access tokens from an identity provider, in our case its Keycloak. Uses the returned access token response to get new temporary credentials from the MinIO server using the STS API call `AssumeRoleWithWebIdentity`. +On another terminal run `web-identity.go` a sample client application which obtains JWT id_tokens from an identity provider, in our case its Keycloak. Uses the returned id_token response to get new temporary credentials from the MinIO server using the STS API call `AssumeRoleWithWebIdentity`. ``` $ go run docs/sts/web-identity.go -cid account -csec 072e7f00-4289-469c-9ab2-bbe843c7f5a8 -config-ep "http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" -port 8888 diff --git a/docs/sts/client-grants.go b/docs/sts/client-grants.go index 9a19981c7..ea8ba7728 100644 --- a/docs/sts/client-grants.go +++ b/docs/sts/client-grants.go @@ -35,7 +35,7 @@ import ( "github.com/minio/minio-go/v7/pkg/credentials" ) -// JWTToken - parses the output from IDP access token. +// JWTToken - parses the output from IDP id_token. type JWTToken struct { AccessToken string `json:"access_token"` Expiry int `json:"expires_in"` diff --git a/docs/sts/keycloak.md b/docs/sts/keycloak.md index 409672108..1704e1c54 100644 --- a/docs/sts/keycloak.md +++ b/docs/sts/keycloak.md @@ -55,7 +55,7 @@ Before being able to authenticate against the Admin REST API using a client_id a - Check that `account` client_id has the role 'admin' assigned in the "Service Account Roles" tab. -After that, you will be able to obtain an access token for the Admin REST API using client_id and client_secret: +After that, you will be able to obtain an id_token for the Admin REST API using client_id and client_secret: ``` curl \ diff --git a/docs/sts/web-identity.md b/docs/sts/web-identity.md index b441ddb38..32c106424 100644 --- a/docs/sts/web-identity.md +++ b/docs/sts/web-identity.md @@ -2,13 +2,13 @@ ## Introduction -Calling AssumeRoleWithWebIdentity does not require the use of MinIO default credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including MinIO default credentials in the application. Instead, the identity of the caller is validated by using a JWT access token from the web identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. +Calling AssumeRoleWithWebIdentity does not require the use of MinIO default credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including MinIO default credentials in the application. Instead, the identity of the caller is validated by using a JWT id_token from the web identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, use the optional DurationSeconds parameter to specify the duration of the credentials. This value varies from 900 seconds (15 minutes) up to the maximum session duration of 365 days. ## API Request Parameters ### WebIdentityToken -The OAuth 2.0 access token that is provided by the web identity provider. Application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity call. +The OAuth 2.0 id_token that is provided by the web identity provider. Application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity call. | Params | Value | | :-- | :-- | @@ -120,7 +120,7 @@ $ go run web-identity.go -cid 204367807228-ok7601k6gj1pgge7m09h7d79co8p35xx.apps - Visit http://localhost:8080, login will direct the user to the Google OAuth2 Auth URL to obtain a permission grant. - The redirection URI (callback handler) receives the OAuth2 callback, verifies the state parameter, and obtains a Token. -- Using the access token the callback handler further talks to Google OAuth2 Token URL to obtain an JWT id_token. +- Using the id_token the callback handler further talks to Google OAuth2 Token URL to obtain an JWT id_token. - Once obtained the JWT id_token is further sent to STS endpoint i.e MinIO to retrieve temporary credentials. - Temporary credentials are displayed on the browser upon successful retrieval. diff --git a/docs/sts/wso2.md b/docs/sts/wso2.md index f9810f011..124d90771 100644 --- a/docs/sts/wso2.md +++ b/docs/sts/wso2.md @@ -7,15 +7,15 @@ WSO2 is an Identity Server open source and is released under Apache Software Lic - Download WSO2 follow their [installation guide](https://docs.wso2.com/display/IS540/Installation+Guide). ### 2. Configure WSO2 -Once WSO2 is up and running, configure WSO2 to generate Self contained access tokens. In OAuth 2.0 specification there are primarily two ways to provide access tokens +Once WSO2 is up and running, configure WSO2 to generate Self contained id_tokens. In OAuth 2.0 specification there are primarily two ways to provide id_tokens -1. The access token is an identifier that is hard to guess. For example, a randomly generated string of sufficient length, that the server handling the protected resource can use to lookup the associated authorization information. -2. The access token self-contains the authorization information in a manner that can be verified. For example, by encoding authorization information along with a signature into the token. +1. The id_token is an identifier that is hard to guess. For example, a randomly generated string of sufficient length, that the server handling the protected resource can use to lookup the associated authorization information. +2. The id_token self-contains the authorization information in a manner that can be verified. For example, by encoding authorization information along with a signature into the token. WSO2 generates tokens in first style by default, but if to be used with MinIO we should configure WSO2 to provide JWT tokens instead. ### 3. Generate Self-contained Access Tokens -By default, a UUID is issued as an access token in WSO2 Identity Server, which is of the first type above. But, it also can be configured to issue a self-contained access token (JWT), which is of the second type above. +By default, a UUID is issued as an id_token in WSO2 Identity Server, which is of the first type above. But, it also can be configured to issue a self-contained id_token (JWT), which is of the second type above. - Open the `/repository/conf/identity/identity.xml` file and uncomment the following entry under `` element. ``` @@ -23,7 +23,7 @@ By default, a UUID is issued as an access token in WSO2 Identity Server, which i ``` - Restart the server. - Configure an [OAuth service provider](https://docs.wso2.com/display/IS540/Adding+and+Configuring+a+Service+Provider). -- Initiate an access token request to the WSO2 Identity Server, over a known [grant type](https://docs.wso2.com/display/IS540/OAuth+2.0+Grant+Types). For example, the following cURL command illustrates the syntax of an access token request that can be initiated over the [Client Credentials Grant](https://docs.wso2.com/display/IS540/Client+Credentials+Grant) grant type. +- Initiate an id_token request to the WSO2 Identity Server, over a known [grant type](https://docs.wso2.com/display/IS540/OAuth+2.0+Grant+Types). For example, the following cURL command illustrates the syntax of an id_token request that can be initiated over the [Client Credentials Grant](https://docs.wso2.com/display/IS540/Client+Credentials+Grant) grant type. - Navigate to service provider section, expand Inbound Authentication Configurations and expand OAuth/OpenID Connect Configuration. - Copy the OAuth Client Key as the value for ``. - Copy the OAuth Client Secret as the value for ``. @@ -40,7 +40,7 @@ Example: curl -u PoEgXP6uVO45IsENRngDXj5Au5Ya:eKsw6z8CtOJVBtrOWvhRWL4TUCga -k -d "grant_type=client_credentials" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token ``` -In response, the self-contained JWT access token will be returned as shown below. +In response, the self-contained JWT id_token will be returned as shown below. ``` { "id_token": "eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJQb0VnWFA2dVZPNDVJc0VOUm5nRFhqNUF1NVlhIiwiYXpwIjoiUG9FZ1hQNnVWTzQ1SXNFTlJuZ0RYajVBdTVZYSIsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTUzNDg5MTc3OCwiaWF0IjoxNTM0ODg4MTc4LCJqdGkiOiIxODQ0MzI5Yy1kNjVhLTQ4YTMtODIyOC05ZGY3M2ZlODNkNTYifQ.ELZ8ujk2Xp9xTGgMqnCa5ehuimaAPXWlSCW5QeBbTJIT4M5OB_2XEVIV6p89kftjUdKu50oiYe4SbfrxmLm6NGSGd2qxkjzJK3SRKqsrmVWEn19juj8fz1neKtUdXVHuSZu6ws_bMDy4f_9hN2Jv9dFnkoyeNT54r4jSTJ4A2FzN2rkiURheVVsc8qlm8O7g64Az-5h4UGryyXU4zsnjDCBKYk9jdbEpcUskrFMYhuUlj1RWSASiGhHHHDU5dTRqHkVLIItfG48k_fb-ehU60T7EFWH1JBdNjOxM9oN_yb0hGwOjLUyCUJO_Y7xcd5F4dZzrBg8LffFmvJ09wzHNtQ", @@ -50,7 +50,7 @@ In response, the self-contained JWT access token will be returned as shown below ``` ### 4. JWT Claims -The access token received is a signed JSON Web Token (JWT). Use a JWT decoder to decode the access token to access the payload of the token that includes following JWT claims: +The id_token received is a signed JSON Web Token (JWT). Use a JWT decoder to decode the id_token to access the payload of the token that includes following JWT claims: | Claim Name | Type | Claim Value | |:----------:|:--------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| diff --git a/internal/config/identity/openid/jwt.go b/internal/config/identity/openid/jwt.go index 8fb100d77..5a137d460 100644 --- a/internal/config/identity/openid/jwt.go +++ b/internal/config/identity/openid/jwt.go @@ -233,7 +233,7 @@ func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error { return nil } -// Validate - validates the access token. +// Validate - validates the id_token. func (r *Config) Validate(token, dsecs string) (map[string]interface{}, error) { jp := new(jwtgo.Parser) jp.ValidMethods = []string{ diff --git a/internal/config/identity/openid/provider/keycloak.go b/internal/config/identity/openid/provider/keycloak.go index 49486a0d8..9b44659c0 100644 --- a/internal/config/identity/openid/provider/keycloak.go +++ b/internal/config/identity/openid/provider/keycloak.go @@ -27,7 +27,7 @@ import ( "sync" ) -// Token - parses the output from IDP access token. +// Token - parses the output from IDP id_token. type Token struct { AccessToken string `json:"access_token"` Expiry int `json:"expires_in"`