diff --git a/cmd/iam-store.go b/cmd/iam-store.go index 245922ce4..63b94d018 100644 --- a/cmd/iam-store.go +++ b/cmd/iam-store.go @@ -1457,7 +1457,20 @@ func (store *IAMStoreSys) GetAllParentUsers() []string { res := set.NewStringSet() for _, cred := range cache.iamUsersMap { if cred.IsServiceAccount() || cred.IsTemp() { - res.Add(cred.ParentUser) + parentUser := cred.ParentUser + if cred.SessionToken != "" { + claims, err := getClaimsFromToken(cred.SessionToken) + if err != nil { + continue + } + if v, ok := claims[subClaim]; ok { + subFromToken, ok := v.(string) + if ok { + parentUser = subFromToken + } + } + } + res.Add(parentUser) } } diff --git a/cmd/iam.go b/cmd/iam.go index 5172decd9..6041d2f1d 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -1006,11 +1006,7 @@ func (sys *IAMSys) purgeExpiredCredentialsForExternalSSO(ctx context.Context) { parentUsers := sys.store.GetAllParentUsers() var expiredUsers []string for _, parentUser := range parentUsers { - userid, err := parseOpenIDParentUser(parentUser) - if err == errSkipFile { - continue - } - u, err := globalOpenIDConfig.LookupUser(userid) + u, err := globalOpenIDConfig.LookupUser(parentUser) if err != nil { logger.LogIf(GlobalContext, err) continue diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index 95cba3880..7743a320b 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -1,4 +1,4 @@ -// Copyright (c) 2015-2021 MinIO, Inc. +/// Copyright (c) 2015-2021 MinIO, Inc. // // This file is part of MinIO Object Storage stack // @@ -80,16 +80,6 @@ const ( roleArnClaim = "roleArn" ) -func parseOpenIDParentUser(parentUser string) (userID string, err error) { - if strings.HasPrefix(parentUser, "openid:") { - tokens := strings.SplitN(strings.TrimPrefix(parentUser, "openid:"), ":", 2) - if len(tokens) == 2 { - return tokens[0], nil - } - } - return "", errSkipFile -} - // stsAPIHandlers implements and provides http handlers for AWS STS API. type stsAPIHandlers struct{}