fix: correct parentUser lookup for OIDC auto expiration (#14154)

fixes #14026 This is a regression from #13884
2025-12-08 16:53:11 -05:00 · 2022-01-22 16:36:11 -08:00
parent 5f36167f1a
commit f6d13f57bb
3 changed files with 16 additions and 17 deletions
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@@ -1457,7 +1457,20 @@ func (store *IAMStoreSys) GetAllParentUsers() []string {
 	res := set.NewStringSet()
 	for _, cred := range cache.iamUsersMap {
 		if cred.IsServiceAccount() || cred.IsTemp() {
-			res.Add(cred.ParentUser)
+			parentUser := cred.ParentUser
+			if cred.SessionToken != "" {
+				claims, err := getClaimsFromToken(cred.SessionToken)
+				if err != nil {
+					continue
+				}
+				if v, ok := claims[subClaim]; ok {
+					subFromToken, ok := v.(string)
+					if ok {
+						parentUser = subFromToken
+					}
+				}
+			}
+			res.Add(parentUser)
 		}
 	}