openid

Documentation

Index

• Constants
• Variables
• func Enabled(kvs config.KVS) bool
• func GetDefaultExpiration(dsecs string) (time.Duration, error)
• type Config
  • func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser), ...) (c Config, err error)
  • func (r Config) GetRoleInfo() (arn.ARN, string, bool)
  • func (r *Config) GetSettings() madmin.OpenIDSettings
  • func (Config) ID() ID
  • func (r *Config) InitializeKeycloakProvider(adminURL, realm string) error
  • func (r *Config) InitializeProvider(kvs config.KVS) error
  • func (r Config) LookupUser(userid string) (provider.User, error)
  • func (r *Config) PopulatePublicKey() error
  • func (r Config) ProviderEnabled() bool
  • func (r *Config) UnmarshalJSON(data []byte) error
  • func (r *Config) UserInfo(accessToken string) (map[string]interface{}, error)
  • func (r *Config) Validate(token, accessToken, dsecs string) (map[string]interface{}, error)
• type DiscoveryDoc
• type ID
• type JWKS
  • func (key *JWKS) DecodePublicKey() (crypto.PublicKey, error)
• type Validator
• type Validators
  • func NewValidators() *Validators
  • func (list *Validators) Add(provider Validator) error
  • func (list *Validators) Get(id ID) (p Validator, err error)
  • func (list *Validators) List() []ID

Constants

const (
	JwksURL       = "jwks_url"
	ConfigURL     = "config_url"
	ClaimName     = "claim_name"
	ClaimUserinfo = "claim_userinfo"
	ClaimPrefix   = "claim_prefix"
	ClientID      = "client_id"
	ClientSecret  = "client_secret"
	RolePolicy    = "role_policy"

	Vendor             = "vendor"
	Scopes             = "scopes"
	RedirectURI        = "redirect_uri"
	RedirectURIDynamic = "redirect_uri_dynamic"

	// Vendor specific ENV only enabled if the Vendor matches == "vendor"
	KeyCloakRealm    = "keycloak_realm"
	KeyCloakAdminURL = "keycloak_admin_url"

	EnvIdentityOpenIDVendor             = "MINIO_IDENTITY_OPENID_VENDOR"
	EnvIdentityOpenIDClientID           = "MINIO_IDENTITY_OPENID_CLIENT_ID"
	EnvIdentityOpenIDClientSecret       = "MINIO_IDENTITY_OPENID_CLIENT_SECRET"
	EnvIdentityOpenIDURL                = "MINIO_IDENTITY_OPENID_CONFIG_URL"
	EnvIdentityOpenIDClaimName          = "MINIO_IDENTITY_OPENID_CLAIM_NAME"
	EnvIdentityOpenIDClaimUserInfo      = "MINIO_IDENTITY_OPENID_CLAIM_USERINFO"
	EnvIdentityOpenIDClaimPrefix        = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX"
	EnvIdentityOpenIDRolePolicy         = "MINIO_IDENTITY_OPENID_ROLE_POLICY"
	EnvIdentityOpenIDRedirectURI        = "MINIO_IDENTITY_OPENID_REDIRECT_URI"
	EnvIdentityOpenIDRedirectURIDynamic = "MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC"
	EnvIdentityOpenIDScopes             = "MINIO_IDENTITY_OPENID_SCOPES"

	// Vendor specific ENVs only enabled if the Vendor matches == "vendor"
	EnvIdentityOpenIDKeyCloakRealm    = "MINIO_IDENTITY_OPENID_KEYCLOAK_REALM"
	EnvIdentityOpenIDKeyCloakAdminURL = "MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL"
)

OpenID keys and envs.

Variables

var (
	SigningMethodES3256 *jwt.SigningMethodECDSA
	SigningMethodES3384 *jwt.SigningMethodECDSA
	SigningMethodES3512 *jwt.SigningMethodECDSA
)

Specific instances for EC256 and company

var (
	SigningMethodRS3256 *jwt.SigningMethodRSA
	SigningMethodRS3384 *jwt.SigningMethodRSA
	SigningMethodRS3512 *jwt.SigningMethodRSA
)

Specific instances for RS256 and company

var (
	DefaultKVS = config.KVS{
		config.KV{
			Key:   ConfigURL,
			Value: "",
		},
		config.KV{
			Key:   ClientID,
			Value: "",
		},
		config.KV{
			Key:   ClientSecret,
			Value: "",
		},
		config.KV{
			Key:   ClaimName,
			Value: iampolicy.PolicyName,
		},
		config.KV{
			Key:   ClaimUserinfo,
			Value: "",
		},
		config.KV{
			Key:   RolePolicy,
			Value: "",
		},
		config.KV{
			Key:   ClaimPrefix,
			Value: "",
		},
		config.KV{
			Key:   RedirectURI,
			Value: "",
		},
		config.KV{
			Key:   RedirectURIDynamic,
			Value: "off",
		},
		config.KV{
			Key:   Scopes,
			Value: "",
		},
	}
)

DefaultKVS - default config for OpenID config

var (
	ErrTokenExpired = errors.New("token expired")
)

ErrTokenExpired - error token expired

var (
	Help = config.HelpKVS{
		config.HelpKV{
			Key:         ConfigURL,
			Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"`,
			Type:        "url",
		},
		config.HelpKV{
			Key:         ClientID,
			Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"`,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClientSecret,
			Description: `secret for the unique public identifier for apps e.g.`,
			Type:        "string",
			Optional:    true,
		},
		config.HelpKV{
			Key:         ClaimName,
			Description: `JWT canned policy claim name, defaults to "policy"`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         ClaimUserinfo,
			Description: `Enable fetching claims from UserInfo Endpoint for authenticated user`,
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         RolePolicy,
			Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         Scopes,
			Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`,
			Optional:    true,
			Type:        "csv",
		},
		config.HelpKV{
			Key:         Vendor,
			Description: `Specify vendor type for vendor specific behavior to checking validity of temporary credentials and service accounts on MinIO`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         KeyCloakRealm,
			Description: `Specify Keycloak 'realm' name, only honored if vendor was set to 'keycloak' as value, if no realm is specified 'master' is default`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         KeyCloakAdminURL,
			Description: `Specify Keycloak 'admin' REST API endpoint e.g. http://localhost:8080/auth/admin/`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURIDynamic,
			Description: `Enable 'Host' header based dynamic redirect URI`,
			Optional:    true,
			Type:        "on|off",
		},
		config.HelpKV{
			Key:         ClaimPrefix,
			Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURI,
			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,
			Optional:    true,
			Type:        "sentence",
		},
		config.HelpKV{
			Key:         ClaimPrefix,
			Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"`,
			Optional:    true,
			Type:        "string",
		},
		config.HelpKV{
			Key:         RedirectURI,
			Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback`,
			Optional:    true,
			Type:        "string",
		},
	}
)

Help template for OpenID identity feature.

Functions

func Enabled

func Enabled(kvs config.KVS) bool

Enabled returns if configURL is enabled.

func GetDefaultExpiration

func GetDefaultExpiration(dsecs string) (time.Duration, error)

GetDefaultExpiration - returns the expiration seconds expected.

Types

type Config

type Config struct {
	*sync.RWMutex

	Enabled bool `json:"enabled"`
	JWKS    struct {
		URL *xnet.URL `json:"url"`
	} `json:"jwks"`
	URL                *xnet.URL `json:"url,omitempty"`
	ClaimPrefix        string    `json:"claimPrefix,omitempty"`
	ClaimName          string    `json:"claimName,omitempty"`
	ClaimUserinfo      bool      `json:"claimUserInfo,omitempty"`
	RedirectURI        string    `json:"redirectURI,omitempty"`
	RedirectURIDynamic bool      `json:"redirectURIDynamic"`
	DiscoveryDoc       DiscoveryDoc
	ClientID           string
	ClientSecret       string
	RolePolicy         string
	// contains filtered or unexported fields
}

Config - OpenID Config RSA authentication target arguments

func LookupConfig

func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io.ReadCloser), serverRegion string) (c Config, err error)

LookupConfig lookup jwks from config, override with any ENVs.

func (Config) GetRoleInfo

func (r Config) GetRoleInfo() (arn.ARN, string, bool)

GetRoleInfo - returns role ARN and policy if present, otherwise returns false boolean.

func (*Config) GetSettings

func (r *Config) GetSettings() madmin.OpenIDSettings

GetSettings - fetches OIDC settings for site-replication related validation. NOTE that region must be populated by caller as this package does not know.

func (Config) ID

func (Config) ID() ID

ID returns the provider name and authentication type.

func (*Config) InitializeKeycloakProvider

func (r *Config) InitializeKeycloakProvider(adminURL, realm string) error

InitializeKeycloakProvider - initializes keycloak provider

func (*Config) InitializeProvider

func (r *Config) InitializeProvider(kvs config.KVS) error

InitializeProvider initializes if any additional vendor specific information was provided, initialization will return an error initial login fails.

func (Config) LookupUser

func (r Config) LookupUser(userid string) (provider.User, error)

LookupUser lookup userid for the provider

func (*Config) PopulatePublicKey

func (r *Config) PopulatePublicKey() error

PopulatePublicKey - populates a new publickey from the JWKS URL.

func (Config) ProviderEnabled

func (r Config) ProviderEnabled() bool

ProviderEnabled returns true if any vendor specific provider is enabled.

func (*Config) UnmarshalJSON

func (r *Config) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data.

func (*Config) UserInfo

func (r *Config) UserInfo(accessToken string) (map[string]interface{}, error)

UserInfo returns claims for authenticated user from userInfo endpoint.

Some OIDC implementations such as GitLab do not support claims as part of the normal oauth2 flow, instead rely on service providers making calls to IDP to fetch additional claims available from the UserInfo endpoint

func (*Config) Validate

func (r *Config) Validate(token, accessToken, dsecs string) (map[string]interface{}, error)

Validate - validates the id_token.

type DiscoveryDoc

type DiscoveryDoc struct {
	Issuer                           string   `json:"issuer,omitempty"`
	AuthEndpoint                     string   `json:"authorization_endpoint,omitempty"`
	TokenEndpoint                    string   `json:"token_endpoint,omitempty"`
	UserInfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
	RevocationEndpoint               string   `json:"revocation_endpoint,omitempty"`
	JwksURI                          string   `json:"jwks_uri,omitempty"`
	ResponseTypesSupported           []string `json:"response_types_supported,omitempty"`
	SubjectTypesSupported            []string `json:"subject_types_supported,omitempty"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"`
	ScopesSupported                  []string `json:"scopes_supported,omitempty"`
	TokenEndpointAuthMethods         []string `json:"token_endpoint_auth_methods_supported,omitempty"`
	ClaimsSupported                  []string `json:"claims_supported,omitempty"`
	CodeChallengeMethodsSupported    []string `json:"code_challenge_methods_supported,omitempty"`
}

DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration

type ID

type ID string

ID - holds identification name authentication validator target.

type JWKS

type JWKS struct {
	Keys []*JWKS `json:"keys,omitempty"`

	Kty string `json:"kty"`
	Use string `json:"use,omitempty"`
	Kid string `json:"kid,omitempty"`
	Alg string `json:"alg,omitempty"`

	Crv string `json:"crv,omitempty"`
	X   string `json:"x,omitempty"`
	Y   string `json:"y,omitempty"`
	D   string `json:"d,omitempty"`
	N   string `json:"n,omitempty"`
	E   string `json:"e,omitempty"`
	K   string `json:"k,omitempty"`
}

JWKS - https://tools.ietf.org/html/rfc7517

func (*JWKS) DecodePublicKey

func (key *JWKS) DecodePublicKey() (crypto.PublicKey, error)

DecodePublicKey - decodes JSON Web Key (JWK) as public key

type Validator

type Validator interface {
	// Validate is a custom validator function for this provider,
	// each validation is authenticationType or provider specific.
	Validate(idToken, accessToken, duration string) (map[string]interface{}, error)

	// ID returns provider name of this provider.
	ID() ID
}

Validator interface describes basic implementation requirements of various authentication providers.

type Validators

type Validators struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

Validators - holds list of providers indexed by provider id.

func NewValidators

func NewValidators() *Validators

NewValidators - creates Validators.

func (*Validators) Add

func (list *Validators) Add(provider Validator) error

Add - adds unique provider to provider list.

func (*Validators) Get

func (list *Validators) Get(id ID) (p Validator, err error)

Get - returns the provider for the given providerID, if not found returns an error.

func (*Validators) List

func (list *Validators) List() []ID

List - returns available provider IDs.