From d0f50cdd9b0efa55b7b9fba91706615aa0416c88 Mon Sep 17 00:00:00 2001
From: Ian Roberts <i.roberts@sheffield.ac.uk>
Date: Sat, 6 Sep 2025 18:38:46 +0100
Subject: [PATCH] fix: use correct dummy ARN for claim-based OIDC provider when
 listing access keys (#21549)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix: use correct dummy ARN for claim-based OIDC provider

When listing OIDC access keys, use the correct ARN when looking up the provider configuration for the claim-based provider.  Without this it was impossible to list access keys for a claim-based provider, only for a role-policy-based provider.

Fixes minio/minio#21548
---
 cmd/admin-handlers-idp-openid.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmd/admin-handlers-idp-openid.go b/cmd/admin-handlers-idp-openid.go
index 78e537d48..7e2387832 100644
--- a/cmd/admin-handlers-idp-openid.go
+++ b/cmd/admin-handlers-idp-openid.go
@@ -173,6 +173,8 @@ func (a adminAPIHandlers) ListAccessKeysOpenIDBulk(w http.ResponseWriter, r *htt
 			if _, ok := accessKey.Claims[iamPolicyClaimNameOpenID()]; !ok {
 				continue // skip if no roleArn and no policy claim
 			}
+			// claim-based provider is in the roleArnMap under dummy ARN
+			arn = dummyRoleARN
 		}
 		matchingCfgName, ok := roleArnMap[arn]
 		if !ok {