Documentation ¶
Index ¶
- Constants
- Variables
- func Enabled(kvs config.KVS) bool
- func GetDefaultExpiration(dsecs string) (time.Duration, error)
- type Config
- func (r *Config) Clone() Config
- func (r *Config) GetConfigInfo(s config.Config, cfgName string) ([]madmin.IDPCfgInfo, error)
- func (r *Config) GetConfigList(s config.Config) ([]madmin.IDPListItem, error)
- func (r *Config) GetIAMPolicyClaimName() string
- func (r Config) GetRoleInfo() map[arn.ARN]string
- func (r *Config) GetSettings() madmin.OpenIDSettings
- func (r Config) LookupUser(roleArn, userid string) (provider.User, error)
- func (r *Config) PopulatePublicKey(arn arn.ARN) error
- func (r Config) ProviderEnabled() bool
- func (r *Config) Validate(arn arn.ARN, token, accessToken, dsecs string, claims jwtgo.MapClaims) error
- type DiscoveryDoc
- type JWKS
Constants ¶
const ( ClientID = "client_id" ClientSecret = "client_secret" ConfigURL = "config_url" ClaimName = "claim_name" ClaimUserinfo = "claim_userinfo" RolePolicy = "role_policy" DisplayName = "display_name" Scopes = "scopes" RedirectURI = "redirect_uri" RedirectURIDynamic = "redirect_uri_dynamic" Vendor = "vendor" // Vendor specific ENV only enabled if the Vendor matches == "vendor" KeyCloakRealm = "keycloak_realm" KeyCloakAdminURL = "keycloak_admin_url" // Removed params JwksURL = "jwks_url" ClaimPrefix = "claim_prefix" )
OpenID keys and envs.
Variables ¶
var ( SigningMethodES3256 *jwt.SigningMethodECDSA SigningMethodES3384 *jwt.SigningMethodECDSA SigningMethodES3512 *jwt.SigningMethodECDSA )
Specific instances for EC256 and company
var ( SigningMethodRS3256 *jwt.SigningMethodRSA SigningMethodRS3384 *jwt.SigningMethodRSA SigningMethodRS3512 *jwt.SigningMethodRSA )
Specific instances for RS256 and company
var ( DefaultKVS = config.KVS{ config.KV{ Key: config.Enable, Value: "", }, config.KV{ Key: DisplayName, Value: "", }, config.KV{ Key: ConfigURL, Value: "", }, config.KV{ Key: ClientID, Value: "", }, config.KV{ Key: ClientSecret, Value: "", }, config.KV{ Key: ClaimName, Value: iampolicy.PolicyName, }, config.KV{ Key: ClaimUserinfo, Value: "", }, config.KV{ Key: RolePolicy, Value: "", }, config.KV{ Key: ClaimPrefix, Value: "", }, config.KV{ Key: RedirectURI, Value: "", }, config.KV{ Key: RedirectURIDynamic, Value: "off", }, config.KV{ Key: Scopes, Value: "", }, config.KV{ Key: Vendor, Value: "", }, config.KV{ Key: KeyCloakRealm, Value: "", }, config.KV{ Key: KeyCloakAdminURL, Value: "", }, } )
DefaultKVS - default config for OpenID config
var DummyRoleARN = func() arn.ARN { v, err := arn.NewIAMRoleARN("dummy-internal", "") if err != nil { panic("should not happen!") } return v }()
DummyRoleARN is used to indicate that the user associated with it was authenticated via policy-claim based OpenID provider.
var ErrProviderConfigNotFound = errors.New("provider configuration not found")
ErrProviderConfigNotFound - represents a non-existing provider error.
var (
ErrTokenExpired = errors.New("token expired")
)
ErrTokenExpired - error token expired
var ( Help = config.HelpKVS{ config.HelpKV{ Key: config.Enable, Description: "Enable or disable OpenID", Type: "on|off", Optional: true, Sensitive: false, }, config.HelpKV{ Key: DisplayName, Description: "Friendly display name for this Provider/App" + defaultHelpPostfix(DisplayName), Optional: true, Type: "string", }, config.HelpKV{ Key: ConfigURL, Description: `openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"` + defaultHelpPostfix(ConfigURL), Type: "url", }, config.HelpKV{ Key: ClientID, Description: `unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"` + defaultHelpPostfix(ClientID), Type: "string", }, config.HelpKV{ Key: ClientSecret, Description: `secret for the unique public identifier for apps` + defaultHelpPostfix(ClientSecret), Sensitive: true, Type: "string", }, config.HelpKV{ Key: RolePolicy, Description: `Set the IAM access policies applicable to this client application and IDP e.g. "app-bucket-write,app-bucket-list"` + defaultHelpPostfix(RolePolicy), Optional: true, Type: "string", }, config.HelpKV{ Key: ClaimName, Description: `JWT canned policy claim name` + defaultHelpPostfix(ClaimName), Optional: true, Type: "string", }, config.HelpKV{ Key: Scopes, Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"` + defaultHelpPostfix(Scopes), Optional: true, Type: "csv", }, config.HelpKV{ Key: Vendor, Description: `Specify vendor type for vendor specific behavior to checking validity of temporary credentials and service accounts on MinIO` + defaultHelpPostfix(Vendor), Optional: true, Type: "string", }, config.HelpKV{ Key: ClaimUserinfo, Description: `Enable fetching claims from UserInfo Endpoint for authenticated user` + defaultHelpPostfix(ClaimUserinfo), Optional: true, Type: "on|off", }, config.HelpKV{ Key: KeyCloakRealm, Description: `Specify Keycloak 'realm' name, only honored if vendor was set to 'keycloak' as value, if no realm is specified 'master' is default` + defaultHelpPostfix(KeyCloakRealm), Optional: true, Type: "string", }, config.HelpKV{ Key: KeyCloakAdminURL, Description: `Specify Keycloak 'admin' REST API endpoint e.g. http://localhost:8080/auth/admin/` + defaultHelpPostfix(KeyCloakAdminURL), Optional: true, Type: "string", }, config.HelpKV{ Key: RedirectURIDynamic, Description: `Enable 'Host' header based dynamic redirect URI` + defaultHelpPostfix(RedirectURIDynamic), Optional: true, Type: "on|off", }, config.HelpKV{ Key: ClaimPrefix, Description: `[DEPRECATED use 'claim_name'] JWT claim namespace prefix e.g. "customer1/"` + defaultHelpPostfix(ClaimPrefix), Optional: true, Type: "string", }, config.HelpKV{ Key: RedirectURI, Description: `[DEPRECATED use env 'MINIO_BROWSER_REDIRECT_URL'] Configure custom redirect_uri for OpenID login flow callback` + defaultHelpPostfix(RedirectURI), Optional: true, Type: "string", }, config.HelpKV{ Key: config.Comment, Description: config.DefaultComment, Optional: true, Type: "sentence", }, } )
Help template for OpenID identity feature.
Functions ¶
Types ¶
type Config ¶
type Config struct { Enabled bool // map of config names to providerCfg's ProviderCfgs map[string]*providerCfg // contains filtered or unexported fields }
Config - OpenID Config
func LookupConfig ¶
func LookupConfig(s config.Config, transport http.RoundTripper, closeRespFn func(io.ReadCloser), serverRegion string) (c Config, err error)
LookupConfig lookup jwks from config, override with any ENVs.
func (*Config) GetConfigInfo ¶
GetConfigInfo - returns configuration and related info for the given IDP provider.
func (*Config) GetConfigList ¶
GetConfigList - list openID configurations
func (*Config) GetIAMPolicyClaimName ¶
GetIAMPolicyClaimName - returns the policy claim name for the (at most one) provider configured without a role policy.
func (Config) GetRoleInfo ¶
GetRoleInfo - returns ARN to policies map if a role policy based openID provider is configured. Otherwise returns nil.
func (*Config) GetSettings ¶
func (r *Config) GetSettings() madmin.OpenIDSettings
GetSettings - fetches OIDC settings for site-replication related validation. NOTE that region must be populated by caller as this package does not know.
func (Config) LookupUser ¶
LookupUser lookup userid for the provider
func (*Config) PopulatePublicKey ¶
PopulatePublicKey - populates a new publickey from the JWKS URL.
func (Config) ProviderEnabled ¶
ProviderEnabled returns true if any vendor specific provider is enabled.
type DiscoveryDoc ¶
type DiscoveryDoc struct { Issuer string `json:"issuer,omitempty"` AuthEndpoint string `json:"authorization_endpoint,omitempty"` TokenEndpoint string `json:"token_endpoint,omitempty"` UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"` RevocationEndpoint string `json:"revocation_endpoint,omitempty"` JwksURI string `json:"jwks_uri,omitempty"` ResponseTypesSupported []string `json:"response_types_supported,omitempty"` SubjectTypesSupported []string `json:"subject_types_supported,omitempty"` IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported,omitempty"` ScopesSupported []string `json:"scopes_supported,omitempty"` TokenEndpointAuthMethods []string `json:"token_endpoint_auth_methods_supported,omitempty"` ClaimsSupported []string `json:"claims_supported,omitempty"` CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"` }
DiscoveryDoc - parses the output from openid-configuration for example https://accounts.google.com/.well-known/openid-configuration
type JWKS ¶
type JWKS struct { Keys []*JWKS `json:"keys,omitempty"` Kty string `json:"kty"` Use string `json:"use,omitempty"` Kid string `json:"kid,omitempty"` Alg string `json:"alg,omitempty"` Crv string `json:"crv,omitempty"` X string `json:"x,omitempty"` Y string `json:"y,omitempty"` D string `json:"d,omitempty"` N string `json:"n,omitempty"` E string `json:"e,omitempty"` K string `json:"k,omitempty"` }