From dc6958b6a1f94305bb99f2846c906f76250fa302 Mon Sep 17 00:00:00 2001
From: Aditya Manthramurthy <donatello@users.noreply.github.com>
Date: Wed, 30 Jun 2021 17:11:23 -0700
Subject: [PATCH] fix: enhance openid claim missing error (#12608)

The error implies an expected claim is missing even when
the claim is present. Added an additional error message
to clarify the problem.
---
 cmd/sts-handlers.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go
index 66c52a164..c041844a7 100644
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -343,14 +343,21 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 	// JWT custom claims.
 	var policyName string
 	policySet, ok := iampolicy.GetPoliciesFromClaims(m, iamPolicyClaimNameOpenID())
+	policies := strings.Join(policySet.ToSlice(), ",")
 	if ok {
-		policyName = globalIAMSys.CurrentPolicies(strings.Join(policySet.ToSlice(), ","))
+		policyName = globalIAMSys.CurrentPolicies(policies)
 	}
 
-	if policyName == "" && globalPolicyOPA == nil {
-		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
-			fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
-		return
+	if globalPolicyOPA == nil {
+		if !ok {
+			writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
+				fmt.Errorf("%s claim missing from the JWT token, credentials will not be generated", iamPolicyClaimNameOpenID()))
+			return
+		} else if policyName == "" {
+			writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
+				fmt.Errorf("None of the given policies (`%s`) are defined, credentials will not be generated", policies))
+			return
+		}
 	}
 	m[iamPolicyClaimNameOpenID()] = policyName