Final changes to config sub-system (#8600)

- Introduces changes such as certain types of
  errors that can be ignored or which need to 
  go into safe mode.
- Update help text as per the review

cmd/config/identity/openid/help.go

@@ -23,24 +23,24 @@ var (
 	Help = config.HelpKVS{
 		config.HelpKV{
 			Key:         ConfigURL,
-			Description: `OpenID discovery documented endpoint. eg: "https://accounts.google.com/.well-known/openid-configuration"`,
+			Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"`,
 			Type:        "url",
 		},
 		config.HelpKV{
 			Key:         ClientID,
-			Description: `The client identifier of the authenticating party at the identity provider`,
+			Description: `client identifier of the authenticating party at the identity provider`,
 			Type:        "string",
 			Optional:    true,
 		},
 		config.HelpKV{
 			Key:         ClaimPrefix,
-			Description: `OpenID JWT claim namespace prefix. eg: "customer"`,
+			Description: `openid JWT claim namespace prefix e.g. "customer"`,
 			Optional:    true,
 			Type:        "string",
 		},
 		config.HelpKV{
 			Key:         config.Comment,
-			Description: "A comment to describe the OpenID identity setting",
+			Description: config.DefaultComment,
 			Optional:    true,
 			Type:        "sentence",
 		},

cmd/config/identity/openid/jwt.go

@@ -212,7 +212,6 @@ const (
 	ClaimPrefix = "claim_prefix"
 	ClientID    = "client_id"
 
-	EnvIdentityOpenIDState       = "MINIO_IDENTITY_OPENID_STATE"
 	EnvIdentityOpenIDClientID    = "MINIO_IDENTITY_OPENID_CLIENT_ID"
 	EnvIdentityOpenIDJWKSURL     = "MINIO_IDENTITY_OPENID_JWKS_URL"
 	EnvIdentityOpenIDURL         = "MINIO_IDENTITY_OPENID_CONFIG_URL"
@@ -264,10 +263,6 @@ func parseDiscoveryDoc(u *xnet.URL, transport *http.Transport, closeRespFn func(
 // DefaultKVS - default config for OpenID config
 var (
 	DefaultKVS = config.KVS{
-		config.KV{
-			Key:   config.State,
-			Value: config.StateOff,
-		},
 		config.KV{
 			Key:   ConfigURL,
 			Value: "",
@@ -287,20 +282,17 @@ var (
 	}
 )
 
+// Enabled returns if jwks is enabled.
+func Enabled(kvs config.KVS) bool {
+	return kvs.Get(JwksURL) != ""
+}
+
 // LookupConfig lookup jwks from config, override with any ENVs.
 func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser)) (c Config, err error) {
 	if err = config.CheckValidKeys(config.IdentityOpenIDSubSys, kvs, DefaultKVS); err != nil {
 		return c, err
 	}
 
-	stateBool, err := config.ParseBool(env.Get(EnvIdentityOpenIDState, kvs.Get(config.State)))
-	if err != nil {
-		if kvs.Empty() {
-			return c, nil
-		}
-		return c, err
-	}
-
 	jwksURL := env.Get(EnvIamJwksURL, "") // Legacy
 	if jwksURL == "" {
 		jwksURL = env.Get(EnvIdentityOpenIDJWKSURL, kvs.Get(JwksURL))
@@ -330,12 +322,6 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io
 		jwksURL = c.DiscoveryDoc.JwksURI
 	}
 
-	if stateBool {
-		// This check is needed to ensure that empty Jwks urls are not allowed.
-		if jwksURL == "" {
-			return c, config.Error("'config_url' must be set to a proper OpenID discovery document URL")
-		}
-	}
 	if jwksURL == "" {
 		return c, nil
 	}

cmd/config/identity/openid/legacy.go

@@ -30,10 +30,6 @@ func SetIdentityOpenID(s config.Config, cfg Config) {
 		return
 	}
 	s[config.IdentityOpenIDSubSys][config.Default] = config.KVS{
-		config.KV{
-			Key:   config.State,
-			Value: config.StateOn,
-		},
 		config.KV{
 			Key:   JwksURL,
 			Value: cfg.JWKS.URL.String(),