Migrate config to KV data format (#8392)

- adding oauth support to MinIO browser (#8400) by @kanagaraj
- supports multi-line get/set/del for all config fields
- add support for comments, allow toggle
- add extensive validation of config before saving
- support MinIO browser to support proper claims, using STS tokens
- env support for all config parameters, legacy envs are also
  supported with all documentation now pointing to latest ENVs
- preserve accessKey/secretKey from FS mode setups
- add history support implements three APIs
  - ClearHistory
  - RestoreHistory
  - ListHistory
- add help command support for each config parameters
- all the bug fixes after migration to KV, and other bug
  fixes encountered during testing.

cmd/config/identity/openid/help.go

@@ -0,0 +1,28 @@
+/*
+ * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import "github.com/minio/minio/cmd/config"
+
+// Help template for OpenID identity feature.
+var (
+	Help = config.HelpKV{
+		ConfigURL:      `OpenID discovery documented endpoint. eg: "https://accounts.google.com/.well-known/openid-configuration"`,
+		config.State:   "Indicates if OpenID identity is enabled or not",
+		config.Comment: "A comment to describe the OpenID identity setting",
+	}
+)

cmd/config/identity/openid/jwks.go

@@ -0,0 +1,137 @@
+/*
+ * MinIO Cloud Storage, (C) 2018 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"math/big"
+	"strings"
+)
+
+// JWKS - https://tools.ietf.org/html/rfc7517
+type JWKS struct {
+	Keys []*JWKS `json:"keys,omitempty"`
+
+	Kty string `json:"kty"`
+	Use string `json:"use,omitempty"`
+	Kid string `json:"kid,omitempty"`
+	Alg string `json:"alg,omitempty"`
+
+	Crv string `json:"crv,omitempty"`
+	X   string `json:"x,omitempty"`
+	Y   string `json:"y,omitempty"`
+	D   string `json:"d,omitempty"`
+	N   string `json:"n,omitempty"`
+	E   string `json:"e,omitempty"`
+	K   string `json:"k,omitempty"`
+}
+
+func safeDecode(str string) ([]byte, error) {
+	lenMod4 := len(str) % 4
+	if lenMod4 > 0 {
+		str = str + strings.Repeat("=", 4-lenMod4)
+	}
+
+	return base64.URLEncoding.DecodeString(str)
+}
+
+var (
+	errMalformedJWKRSAKey = errors.New("malformed JWK RSA key")
+	errMalformedJWKECKey  = errors.New("malformed JWK EC key")
+)
+
+// DecodePublicKey - decodes JSON Web Key (JWK) as public key
+func (key *JWKS) DecodePublicKey() (crypto.PublicKey, error) {
+	switch key.Kty {
+	case "RSA":
+		if key.N == "" || key.E == "" {
+			return nil, errMalformedJWKRSAKey
+		}
+
+		// decode exponent
+		data, err := safeDecode(key.E)
+		if err != nil {
+			return nil, errMalformedJWKRSAKey
+		}
+
+		if len(data) < 4 {
+			ndata := make([]byte, 4)
+			copy(ndata[4-len(data):], data)
+			data = ndata
+		}
+
+		pubKey := &rsa.PublicKey{
+			N: &big.Int{},
+			E: int(binary.BigEndian.Uint32(data[:])),
+		}
+
+		data, err = safeDecode(key.N)
+		if err != nil {
+			return nil, errMalformedJWKRSAKey
+		}
+		pubKey.N.SetBytes(data)
+
+		return pubKey, nil
+	case "EC":
+		if key.Crv == "" || key.X == "" || key.Y == "" {
+			return nil, errMalformedJWKECKey
+		}
+
+		var curve elliptic.Curve
+		switch key.Crv {
+		case "P-224":
+			curve = elliptic.P224()
+		case "P-256":
+			curve = elliptic.P256()
+		case "P-384":
+			curve = elliptic.P384()
+		case "P-521":
+			curve = elliptic.P521()
+		default:
+			return nil, fmt.Errorf("Unknown curve type: %s", key.Crv)
+		}
+
+		pubKey := &ecdsa.PublicKey{
+			Curve: curve,
+			X:     &big.Int{},
+			Y:     &big.Int{},
+		}
+
+		data, err := safeDecode(key.X)
+		if err != nil {
+			return nil, errMalformedJWKECKey
+		}
+		pubKey.X.SetBytes(data)
+
+		data, err = safeDecode(key.Y)
+		if err != nil {
+			return nil, errMalformedJWKECKey
+		}
+		pubKey.Y.SetBytes(data)
+
+		return pubKey, nil
+	default:
+		return nil, fmt.Errorf("Unknown JWK key type %s", key.Kty)
+	}
+}

cmd/config/identity/openid/jwks_test.go

@@ -0,0 +1,103 @@
+/*
+ * MinIO Cloud Storage, (C) 2018 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"encoding/json"
+	"testing"
+)
+
+// A.1 - Example public keys
+func TestPublicKey(t *testing.T) {
+	const jsonkey = `{"keys":
+       [
+         {"kty":"EC",
+          "crv":"P-256",
+          "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
+          "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
+          "use":"enc",
+          "kid":"1"},
+
+         {"kty":"RSA",
+          "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+          "e":"AQAB",
+          "alg":"RS256",
+          "kid":"2011-04-29"}
+       ]
+     }`
+
+	var jk JWKS
+	if err := json.Unmarshal([]byte(jsonkey), &jk); err != nil {
+		t.Fatal("Unmarshal: ", err)
+	} else if len(jk.Keys) != 2 {
+		t.Fatalf("Expected 2 keys, got %d", len(jk.Keys))
+	}
+
+	keys := make([]crypto.PublicKey, len(jk.Keys))
+	for ii, jks := range jk.Keys {
+		var err error
+		keys[ii], err = jks.DecodePublicKey()
+		if err != nil {
+			t.Fatalf("Failed to decode key %d: %v", ii, err)
+		}
+	}
+
+	if key0, ok := keys[0].(*ecdsa.PublicKey); !ok {
+		t.Fatalf("Expected ECDSA key[0], got %T", keys[0])
+	} else if key1, ok := keys[1].(*rsa.PublicKey); !ok {
+		t.Fatalf("Expected RSA key[1], got %T", keys[1])
+	} else if key0.Curve != elliptic.P256() {
+		t.Fatal("Key[0] is not using P-256 curve")
+	} else if !bytes.Equal(key0.X.Bytes(), []byte{0x30, 0xa0, 0x42, 0x4c, 0xd2,
+		0x1c, 0x29, 0x44, 0x83, 0x8a, 0x2d, 0x75, 0xc9, 0x2b, 0x37, 0xe7, 0x6e, 0xa2,
+		0xd, 0x9f, 0x0, 0x89, 0x3a, 0x3b, 0x4e, 0xee, 0x8a, 0x3c, 0xa, 0xaf, 0xec, 0x3e}) {
+		t.Fatalf("Bad key[0].X, got %v", key0.X.Bytes())
+	} else if !bytes.Equal(key0.Y.Bytes(), []byte{0xe0, 0x4b, 0x65, 0xe9, 0x24,
+		0x56, 0xd9, 0x88, 0x8b, 0x52, 0xb3, 0x79, 0xbd, 0xfb, 0xd5, 0x1e, 0xe8,
+		0x69, 0xef, 0x1f, 0xf, 0xc6, 0x5b, 0x66, 0x59, 0x69, 0x5b, 0x6c, 0xce,
+		0x8, 0x17, 0x23}) {
+		t.Fatalf("Bad key[0].Y, got %v", key0.Y.Bytes())
+	} else if key1.E != 0x10001 {
+		t.Fatalf("Bad key[1].E: %d", key1.E)
+	} else if !bytes.Equal(key1.N.Bytes(), []byte{0xd2, 0xfc, 0x7b, 0x6a, 0xa, 0x1e,
+		0x6c, 0x67, 0x10, 0x4a, 0xeb, 0x8f, 0x88, 0xb2, 0x57, 0x66, 0x9b, 0x4d, 0xf6,
+		0x79, 0xdd, 0xad, 0x9, 0x9b, 0x5c, 0x4a, 0x6c, 0xd9, 0xa8, 0x80, 0x15, 0xb5,
+		0xa1, 0x33, 0xbf, 0xb, 0x85, 0x6c, 0x78, 0x71, 0xb6, 0xdf, 0x0, 0xb, 0x55,
+		0x4f, 0xce, 0xb3, 0xc2, 0xed, 0x51, 0x2b, 0xb6, 0x8f, 0x14, 0x5c, 0x6e, 0x84,
+		0x34, 0x75, 0x2f, 0xab, 0x52, 0xa1, 0xcf, 0xc1, 0x24, 0x40, 0x8f, 0x79, 0xb5,
+		0x8a, 0x45, 0x78, 0xc1, 0x64, 0x28, 0x85, 0x57, 0x89, 0xf7, 0xa2, 0x49, 0xe3,
+		0x84, 0xcb, 0x2d, 0x9f, 0xae, 0x2d, 0x67, 0xfd, 0x96, 0xfb, 0x92, 0x6c, 0x19,
+		0x8e, 0x7, 0x73, 0x99, 0xfd, 0xc8, 0x15, 0xc0, 0xaf, 0x9, 0x7d, 0xde, 0x5a,
+		0xad, 0xef, 0xf4, 0x4d, 0xe7, 0xe, 0x82, 0x7f, 0x48, 0x78, 0x43, 0x24, 0x39,
+		0xbf, 0xee, 0xb9, 0x60, 0x68, 0xd0, 0x47, 0x4f, 0xc5, 0xd, 0x6d, 0x90, 0xbf,
+		0x3a, 0x98, 0xdf, 0xaf, 0x10, 0x40, 0xc8, 0x9c, 0x2, 0xd6, 0x92, 0xab, 0x3b,
+		0x3c, 0x28, 0x96, 0x60, 0x9d, 0x86, 0xfd, 0x73, 0xb7, 0x74, 0xce, 0x7, 0x40,
+		0x64, 0x7c, 0xee, 0xea, 0xa3, 0x10, 0xbd, 0x12, 0xf9, 0x85, 0xa8, 0xeb, 0x9f,
+		0x59, 0xfd, 0xd4, 0x26, 0xce, 0xa5, 0xb2, 0x12, 0xf, 0x4f, 0x2a, 0x34, 0xbc,
+		0xab, 0x76, 0x4b, 0x7e, 0x6c, 0x54, 0xd6, 0x84, 0x2, 0x38, 0xbc, 0xc4, 0x5, 0x87,
+		0xa5, 0x9e, 0x66, 0xed, 0x1f, 0x33, 0x89, 0x45, 0x77, 0x63, 0x5c, 0x47, 0xa,
+		0xf7, 0x5c, 0xf9, 0x2c, 0x20, 0xd1, 0xda, 0x43, 0xe1, 0xbf, 0xc4, 0x19, 0xe2,
+		0x22, 0xa6, 0xf0, 0xd0, 0xbb, 0x35, 0x8c, 0x5e, 0x38, 0xf9, 0xcb, 0x5, 0xa, 0xea,
+		0xfe, 0x90, 0x48, 0x14, 0xf1, 0xac, 0x1a, 0xa4, 0x9c, 0xca, 0x9e, 0xa0, 0xca, 0x83}) {
+		t.Fatalf("Bad key[1].N, got %v", key1.N.Bytes())
+	}
+}

cmd/config/identity/openid/jwt.go

@@ -0,0 +1,324 @@
+/*
+ * MinIO Cloud Storage, (C) 2018-2019 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"crypto"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"time"
+
+	jwtgo "github.com/dgrijalva/jwt-go"
+	"github.com/minio/minio/cmd/config"
+	"github.com/minio/minio/pkg/env"
+	xnet "github.com/minio/minio/pkg/net"
+)
+
+// Config - OpenID Config
+// RSA authentication target arguments
+type Config struct {
+	JWKS struct {
+		URL *xnet.URL `json:"url"`
+	} `json:"jwks"`
+	URL          *xnet.URL `json:"url,omitempty"`
+	ClaimPrefix  string    `json:"claimPrefix,omitempty"`
+	DiscoveryDoc DiscoveryDoc
+	publicKeys   map[string]crypto.PublicKey
+	transport    *http.Transport
+	closeRespFn  func(io.ReadCloser)
+}
+
+// PopulatePublicKey - populates a new publickey from the JWKS URL.
+func (r *Config) PopulatePublicKey() error {
+	if r.JWKS.URL == nil || r.JWKS.URL.String() == "" {
+		return nil
+	}
+	transport := http.DefaultTransport
+	if r.transport != nil {
+		transport = r.transport
+	}
+	client := &http.Client{
+		Transport: transport,
+	}
+	resp, err := client.Get(r.JWKS.URL.String())
+	if err != nil {
+		return err
+	}
+	defer r.closeRespFn(resp.Body)
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(resp.Status)
+	}
+
+	var jwk JWKS
+	if err = json.NewDecoder(resp.Body).Decode(&jwk); err != nil {
+		return err
+	}
+
+	for _, key := range jwk.Keys {
+		r.publicKeys[key.Kid], err = key.DecodePublicKey()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// UnmarshalJSON - decodes JSON data.
+func (r *Config) UnmarshalJSON(data []byte) error {
+	// subtype to avoid recursive call to UnmarshalJSON()
+	type subConfig Config
+	var sr subConfig
+
+	if err := json.Unmarshal(data, &sr); err != nil {
+		return err
+	}
+
+	ar := Config(sr)
+	if ar.JWKS.URL == nil || ar.JWKS.URL.String() == "" {
+		*r = ar
+		return nil
+	}
+
+	*r = ar
+	return nil
+}
+
+// JWT - rs client grants provider details.
+type JWT struct {
+	Config
+}
+
+func expToInt64(expI interface{}) (expAt int64, err error) {
+	switch exp := expI.(type) {
+	case float64:
+		expAt = int64(exp)
+	case int64:
+		expAt = exp
+	case json.Number:
+		expAt, err = exp.Int64()
+		if err != nil {
+			return 0, err
+		}
+	default:
+		return 0, ErrInvalidDuration
+	}
+	return expAt, nil
+}
+
+// GetDefaultExpiration - returns the expiration seconds expected.
+func GetDefaultExpiration(dsecs string) (time.Duration, error) {
+	defaultExpiryDuration := time.Duration(60) * time.Minute // Defaults to 1hr.
+	if dsecs != "" {
+		expirySecs, err := strconv.ParseInt(dsecs, 10, 64)
+		if err != nil {
+			return 0, ErrInvalidDuration
+		}
+		// The duration, in seconds, of the role session.
+		// The value can range from 900 seconds (15 minutes)
+		// to 12 hours.
+		if expirySecs < 900 || expirySecs > 43200 {
+			return 0, ErrInvalidDuration
+		}
+
+		defaultExpiryDuration = time.Duration(expirySecs) * time.Second
+	}
+	return defaultExpiryDuration, nil
+}
+
+// Validate - validates the access token.
+func (p *JWT) Validate(token, dsecs string) (map[string]interface{}, error) {
+	jp := new(jwtgo.Parser)
+	jp.ValidMethods = []string{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512"}
+
+	keyFuncCallback := func(jwtToken *jwtgo.Token) (interface{}, error) {
+		kid, ok := jwtToken.Header["kid"].(string)
+		if !ok {
+			return nil, fmt.Errorf("Invalid kid value %v", jwtToken.Header["kid"])
+		}
+		return p.publicKeys[kid], nil
+	}
+
+	var claims jwtgo.MapClaims
+	jwtToken, err := jp.ParseWithClaims(token, &claims, keyFuncCallback)
+	if err != nil {
+		if err = p.PopulatePublicKey(); err != nil {
+			return nil, err
+		}
+		jwtToken, err = jwtgo.ParseWithClaims(token, &claims, keyFuncCallback)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if !jwtToken.Valid {
+		return nil, ErrTokenExpired
+	}
+
+	expAt, err := expToInt64(claims["exp"])
+	if err != nil {
+		return nil, err
+	}
+
+	defaultExpiryDuration, err := GetDefaultExpiration(dsecs)
+	if err != nil {
+		return nil, err
+	}
+
+	if time.Unix(expAt, 0).UTC().Sub(time.Now().UTC()) < defaultExpiryDuration {
+		defaultExpiryDuration = time.Unix(expAt, 0).UTC().Sub(time.Now().UTC())
+	}
+
+	expiry := time.Now().UTC().Add(defaultExpiryDuration).Unix()
+	if expAt < expiry {
+		claims["exp"] = strconv.FormatInt(expAt, 64)
+	}
+
+	return claims, nil
+
+}
+
+// ID returns the provider name and authentication type.
+func (p *JWT) ID() ID {
+	return "jwt"
+}
+
+// OpenID keys and envs.
+const (
+	JwksURL     = "jwks_url"
+	ConfigURL   = "config_url"
+	ClaimPrefix = "claim_prefix"
+
+	EnvIdentityOpenIDJWKSURL     = "MINIO_IDENTITY_OPENID_JWKS_URL"
+	EnvIdentityOpenIDURL         = "MINIO_IDENTITY_OPENID_CONFIG_URL"
+	EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
+)
+
+// DiscoveryDoc - parses the output from openid-configuration
+// for example https://accounts.google.com/.well-known/openid-configuration
+type DiscoveryDoc struct {
+	Issuer                           string   `json:"issuer,omitempty"`
+	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
+	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
+	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
+	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
+	JwksURI                          string   `json:"jwks_uri,omitempty"`
+	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
+	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
+	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
+	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
+	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
+	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
+	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
+}
+
+func parseDiscoveryDoc(u *xnet.URL, transport *http.Transport, closeRespFn func(io.ReadCloser)) (DiscoveryDoc, error) {
+	d := DiscoveryDoc{}
+	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+	if err != nil {
+		return d, err
+	}
+	clnt := http.Client{
+		Transport: transport,
+	}
+	resp, err := clnt.Do(req)
+	if err != nil {
+		return d, err
+	}
+	defer closeRespFn(resp.Body)
+	if resp.StatusCode != http.StatusOK {
+		return d, err
+	}
+	dec := json.NewDecoder(resp.Body)
+	if err = dec.Decode(&d); err != nil {
+		return d, err
+	}
+	return d, nil
+}
+
+// DefaultKVS - default config for OpenID config
+var (
+	DefaultKVS = config.KVS{
+		config.State:   config.StateOff,
+		config.Comment: "This is a default OpenID configuration",
+		JwksURL:        "",
+		ConfigURL:      "",
+		ClaimPrefix:    "",
+	}
+)
+
+// LookupConfig lookup jwks from config, override with any ENVs.
+func LookupConfig(kv config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser)) (c Config, err error) {
+	if err = config.CheckValidKeys(config.IdentityOpenIDSubSys, kv, DefaultKVS); err != nil {
+		return c, err
+	}
+
+	stateBool, err := config.ParseBool(kv.Get(config.State))
+	if err != nil {
+		return c, err
+	}
+	if !stateBool {
+		return c, nil
+	}
+
+	c = Config{
+		ClaimPrefix: env.Get(EnvIdentityOpenIDClaimPrefix, kv.Get(ClaimPrefix)),
+		publicKeys:  make(map[string]crypto.PublicKey),
+		transport:   transport,
+		closeRespFn: closeRespFn,
+	}
+
+	jwksURL := env.Get(EnvIamJwksURL, "") // Legacy
+	if jwksURL == "" {
+		jwksURL = env.Get(EnvIdentityOpenIDJWKSURL, kv.Get(JwksURL))
+	}
+
+	configURL := env.Get(EnvIdentityOpenIDURL, kv.Get(ConfigURL))
+	if configURL != "" {
+		c.URL, err = xnet.ParseURL(configURL)
+		if err != nil {
+			return c, err
+		}
+		c.DiscoveryDoc, err = parseDiscoveryDoc(c.URL, transport, closeRespFn)
+		if err != nil {
+			return c, err
+		}
+	}
+	if jwksURL == "" {
+		// Fallback to discovery document jwksURL
+		jwksURL = c.DiscoveryDoc.JwksURI
+	}
+	if jwksURL != "" {
+		c.JWKS.URL, err = xnet.ParseURL(jwksURL)
+		if err != nil {
+			return c, err
+		}
+		if err = c.PopulatePublicKey(); err != nil {
+			return c, err
+		}
+	}
+	return c, nil
+}
+
+// NewJWT - initialize new jwt authenticator.
+func NewJWT(c Config) *JWT {
+	return &JWT{c}
+}

cmd/config/identity/openid/jwt_test.go

@@ -0,0 +1,120 @@
+/*
+ * MinIO Cloud Storage, (C) 2018 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"crypto"
+	"encoding/json"
+	"net/url"
+	"testing"
+	"time"
+
+	xnet "github.com/minio/minio/pkg/net"
+)
+
+func TestJWT(t *testing.T) {
+	const jsonkey = `{"keys":
+       [
+         {"kty":"RSA",
+          "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+          "e":"AQAB",
+          "alg":"RS256",
+          "kid":"2011-04-29"}
+       ]
+     }`
+
+	var jk JWKS
+	if err := json.Unmarshal([]byte(jsonkey), &jk); err != nil {
+		t.Fatal("Unmarshal: ", err)
+	} else if len(jk.Keys) != 1 {
+		t.Fatalf("Expected 1 keys, got %d", len(jk.Keys))
+	}
+
+	keys := make(map[string]crypto.PublicKey, len(jk.Keys))
+	for ii, jks := range jk.Keys {
+		var err error
+		keys[jks.Kid], err = jks.DecodePublicKey()
+		if err != nil {
+			t.Fatalf("Failed to decode key %d: %v", ii, err)
+		}
+	}
+
+	u1, err := xnet.ParseURL("http://localhost:8443")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cfg := Config{}
+	cfg.JWKS.URL = u1
+	cfg.publicKeys = keys
+	jwt := NewJWT(cfg)
+	if jwt.ID() != "jwt" {
+		t.Fatalf("Uexpected id %s for the validator", jwt.ID())
+	}
+
+	u, err := url.Parse("http://localhost:8443/?Token=invalid")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := jwt.Validate(u.Query().Get("Token"), ""); err == nil {
+		t.Fatal(err)
+	}
+}
+
+func TestDefaultExpiryDuration(t *testing.T) {
+	testCases := []struct {
+		reqURL    string
+		duration  time.Duration
+		expectErr bool
+	}{
+		{
+			reqURL:   "http://localhost:8443/?Token=xxxxx",
+			duration: time.Duration(60) * time.Minute,
+		},
+		{
+			reqURL:    "http://localhost:8443/?DurationSeconds=9s",
+			expectErr: true,
+		},
+		{
+			reqURL:    "http://localhost:8443/?DurationSeconds=43201",
+			expectErr: true,
+		},
+		{
+			reqURL:    "http://localhost:8443/?DurationSeconds=800",
+			expectErr: true,
+		},
+		{
+			reqURL:   "http://localhost:8443/?DurationSeconds=901",
+			duration: time.Duration(901) * time.Second,
+		},
+	}
+
+	for i, testCase := range testCases {
+		u, err := url.Parse(testCase.reqURL)
+		if err != nil {
+			t.Fatal(err)
+		}
+		d, err := GetDefaultExpiration(u.Query().Get("DurationSeconds"))
+		gotErr := (err != nil)
+		if testCase.expectErr != gotErr {
+			t.Errorf("Test %d: Expected %v, got %v with error %s", i+1, testCase.expectErr, gotErr, err)
+		}
+		if d != testCase.duration {
+			t.Errorf("Test %d: Expected duration %d, got %d", i+1, testCase.duration, d)
+		}
+	}
+}

cmd/config/identity/openid/legacy.go

@@ -0,0 +1,48 @@
+/*
+ * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import "github.com/minio/minio/cmd/config"
+
+// Legacy envs
+const (
+	EnvIamJwksURL = "MINIO_IAM_JWKS_URL"
+)
+
+// SetIdentityOpenID - One time migration code needed, for migrating from older config to new for OpenIDConfig.
+func SetIdentityOpenID(s config.Config, cfg Config) {
+	s[config.IdentityOpenIDSubSys][config.Default] = config.KVS{
+		config.State: func() string {
+			if cfg.JWKS.URL == nil {
+				return config.StateOff
+			}
+			if cfg.JWKS.URL.String() == "" {
+				return config.StateOff
+			}
+			return config.StateOn
+		}(),
+		config.Comment: "Settings for OpenID, after migrating config",
+		JwksURL: func() string {
+			if cfg.JWKS.URL != nil {
+				return cfg.JWKS.URL.String()
+			}
+			return ""
+		}(),
+		ConfigURL:   "",
+		ClaimPrefix: "",
+	}
+}

cmd/config/identity/openid/validators.go

@@ -0,0 +1,92 @@
+/*
+ * MinIO Cloud Storage, (C) 2018-2019 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+)
+
+// ID - holds identification name authentication validator target.
+type ID string
+
+// Validator interface describes basic implementation
+// requirements of various authentication providers.
+type Validator interface {
+	// Validate is a custom validator function for this provider,
+	// each validation is authenticationType or provider specific.
+	Validate(token string, duration string) (map[string]interface{}, error)
+
+	// ID returns provider name of this provider.
+	ID() ID
+}
+
+// ErrTokenExpired - error token expired
+var (
+	ErrTokenExpired    = errors.New("token expired")
+	ErrInvalidDuration = errors.New("duration higher than token expiry")
+)
+
+// Validators - holds list of providers indexed by provider id.
+type Validators struct {
+	sync.RWMutex
+	providers map[ID]Validator
+}
+
+// Add - adds unique provider to provider list.
+func (list *Validators) Add(provider Validator) error {
+	list.Lock()
+	defer list.Unlock()
+
+	if _, ok := list.providers[provider.ID()]; ok {
+		return fmt.Errorf("provider %v already exists", provider.ID())
+	}
+
+	list.providers[provider.ID()] = provider
+	return nil
+}
+
+// List - returns available provider IDs.
+func (list *Validators) List() []ID {
+	list.RLock()
+	defer list.RUnlock()
+
+	keys := []ID{}
+	for k := range list.providers {
+		keys = append(keys, k)
+	}
+
+	return keys
+}
+
+// Get - returns the provider for the given providerID, if not found
+// returns an error.
+func (list *Validators) Get(id ID) (p Validator, err error) {
+	list.RLock()
+	defer list.RUnlock()
+	var ok bool
+	if p, ok = list.providers[id]; !ok {
+		return nil, fmt.Errorf("provider %v doesn't exist", id)
+	}
+	return p, nil
+}
+
+// NewValidators - creates Validators.
+func NewValidators() *Validators {
+	return &Validators{providers: make(map[ID]Validator)}
+}

cmd/config/identity/openid/validators_test.go

@@ -0,0 +1,104 @@
+/*
+ * MinIO Cloud Storage, (C) 2018 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	xnet "github.com/minio/minio/pkg/net"
+)
+
+type errorValidator struct{}
+
+func (e errorValidator) Validate(token, dsecs string) (map[string]interface{}, error) {
+	return nil, ErrTokenExpired
+}
+
+func (e errorValidator) ID() ID {
+	return "err"
+}
+
+func TestValidators(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("content-type", "application/json")
+		w.Write([]byte(`{
+  "keys" : [ {
+    "kty" : "RSA",
+    "kid" : "1438289820780",
+    "use" : "sig",
+    "alg" : "RS256",
+    "n" : "idWPro_QiAFOdMsJD163lcDIPogOwXogRo3Pct2MMyeE2GAGqV20Sc8QUbuLDfPl-7Hi9IfFOz--JY6QL5l92eV-GJXkTmidUEooZxIZSp3ghRxLCqlyHeF5LuuM5LPRFDeF4YWFQT_D2eNo_w95g6qYSeOwOwGIfaHa2RMPcQAiM6LX4ot-Z7Po9z0_3ztFa02m3xejEFr2rLRqhFl3FZJaNnwTUk6an6XYsunxMk3Ya3lRaKJReeXeFtfTpShgtPiAl7lIfLJH9h26h2OAlww531DpxHSm1gKXn6bjB0NTC55vJKft4wXoc_0xKZhnWmjQE8d9xE8e1Z3Ll1LYbw",
+    "e" : "AQAB"
+  }, {
+    "kty" : "RSA",
+    "kid" : "1438289856256",
+    "use" : "sig",
+    "alg" : "RS256",
+    "n" : "zo5cKcbFECeiH8eGx2D-DsFSpjSKbTVlXD6uL5JAy9rYIv7eYEP6vrKeX-x1z70yEdvgk9xbf9alc8siDfAz3rLCknqlqL7XGVAQL0ZP63UceDmD60LHOzMrx4eR6p49B3rxFfjvX2SWSV3-1H6XNyLk_ALbG6bGCFGuWBQzPJB4LMKCrOFq-6jtRKOKWBXYgkYkaYs5dG-3e2ULbq-y2RdgxYh464y_-MuxDQfvUgP787XKfcXP_XjJZvyuOEANjVyJYZSOyhHUlSGJapQ8ztHdF-swsnf7YkePJ2eR9fynWV2ZoMaXOdidgZtGTa4R1Z4BgH2C0hKJiqRy9fB7Gw",
+    "e" : "AQAB"
+  } ]
+}
+`))
+		w.(http.Flusher).Flush()
+	}))
+	defer ts.Close()
+
+	vrs := NewValidators()
+
+	if err := vrs.Add(&errorValidator{}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := vrs.Add(&errorValidator{}); err == nil {
+		t.Fatal("Unexpected should return error for double inserts")
+	}
+
+	if _, err := vrs.Get("unknown"); err == nil {
+		t.Fatal("Unexpected should return error for unknown validators")
+	}
+
+	v, err := vrs.Get("err")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err = v.Validate("", ""); err != ErrTokenExpired {
+		t.Fatalf("Expected error %s, got %s", ErrTokenExpired, err)
+	}
+
+	vids := vrs.List()
+	if len(vids) == 0 || len(vids) > 1 {
+		t.Fatalf("Unexpected number of vids %v", vids)
+	}
+
+	u, err := xnet.ParseURL(ts.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cfg := Config{}
+	cfg.JWKS.URL = u
+	if err = vrs.Add(NewJWT(cfg)); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err = vrs.Get("jwt"); err != nil {
+		t.Fatal(err)
+	}
+}