support additional claim info in Auditing STS calls (#15381)

Bonus: Adds a missing AuditLog from AssumeRoleWithCertificate API

Fixes #9529

internal/config/identity/openid/jwt.go

@@ -131,7 +131,7 @@ const (
 )
 
 // Validate - validates the id_token.
-func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[string]interface{}, error) {
+func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string, claims jwtgo.MapClaims) error {
 	jp := new(jwtgo.Parser)
 	jp.ValidMethods = []string{
 		"RS256", "RS384", "RS512", "ES256", "ES384", "ES512",
@@ -148,33 +148,32 @@ func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[st
 
 	pCfg, ok := r.arnProviderCfgsMap[arn]
 	if !ok {
-		return nil, fmt.Errorf("Role %s does not exist", arn)
+		return fmt.Errorf("Role %s does not exist", arn)
 	}
 
-	var claims jwtgo.MapClaims
 	jwtToken, err := jp.ParseWithClaims(token, &claims, keyFuncCallback)
 	if err != nil {
 		// Re-populate the public key in-case the JWKS
 		// pubkeys are refreshed
 		if err = r.PopulatePublicKey(arn); err != nil {
-			return nil, err
+			return err
 		}
 		jwtToken, err = jwtgo.ParseWithClaims(token, &claims, keyFuncCallback)
 		if err != nil {
-			return nil, err
+			return err
 		}
 	}
 
 	if !jwtToken.Valid {
-		return nil, ErrTokenExpired
+		return ErrTokenExpired
 	}
 
 	if err = updateClaimsExpiry(dsecs, claims); err != nil {
-		return nil, err
+		return err
 	}
 
 	if err = r.updateUserinfoClaims(arn, accessToken, claims); err != nil {
-		return nil, err
+		return err
 	}
 
 	// Validate that matching clientID appears in the aud or azp claims.
@@ -188,7 +187,7 @@ func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[st
 	// case sensitive
 	audValues, ok := iampolicy.GetValuesFromClaims(claims, audClaim)
 	if !ok {
-		return nil, errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID")
+		return errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID")
 	}
 	if !audValues.Contains(pCfg.ClientID) {
 		// if audience claims is missing, look for "azp" claims.
@@ -202,14 +201,14 @@ func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string) (map[st
 		// string containing a StringOrURI value
 		azpValues, ok := iampolicy.GetValuesFromClaims(claims, azpClaim)
 		if !ok {
-			return nil, errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
+			return errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
 		}
 		if !azpValues.Contains(pCfg.ClientID) {
-			return nil, errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
+			return errors.New("STS JWT Token has `azp` claim invalid, `azp` must match configured OpenID Client ID")
 		}
 	}
 
-	return claims, nil
+	return nil
 }
 
 func (r *Config) updateUserinfoClaims(arn arn.ARN, accessToken string, claims map[string]interface{}) error {

internal/config/identity/openid/jwt_test.go

@@ -29,6 +29,7 @@ import (
 	"time"
 
 	jwtg "github.com/golang-jwt/jwt/v4"
+	jwtgo "github.com/golang-jwt/jwt/v4"
 	"github.com/minio/minio/internal/arn"
 	"github.com/minio/minio/internal/config"
 	jwtm "github.com/minio/minio/internal/jwt"
@@ -106,7 +107,8 @@ func TestJWTAzureFail(t *testing.T) {
 		},
 	}
 
-	if _, err := cfg.Validate(DummyRoleARN, jwtToken, "", ""); err == nil {
+	var claims jwtgo.MapClaims
+	if err = cfg.Validate(DummyRoleARN, jwtToken, "", "", claims); err == nil {
 		// Azure should fail due to non OIDC compliant JWT
 		// generated by Azure AD
 		t.Fatal(err)
@@ -159,7 +161,8 @@ func TestJWT(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if _, err := cfg.Validate(DummyRoleARN, u.Query().Get("Token"), "", ""); err == nil {
+	var claims jwtgo.MapClaims
+	if err = cfg.Validate(DummyRoleARN, u.Query().Get("Token"), "", "", claims); err == nil {
 		t.Fatal(err)
 	}
 }