mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Trust STS IDP connection when the url is localhost (#2603)

Browse Source 
During SSO login, Console contacts MinIO server to generate new temporary credentials. When TLS is enabled, setting up a correct TLS certificate is something that needs to be done correctly by the user. However, recently, we started to skip the TLS verification when Console talks to MinIO server using a loopback address, but we missed the case of Console generating temporary credentials in case of IDP. This commit will get the configured MinIO server url to decide if the STS call needs to skip the TLS verification or not.

Co-authored-by: Anis Elleuch <anis@min.io>
This commit is contained in:
Anis Elleuch
2023-01-27 23:26:30 +01:00
committed by GitHub
parent ed281bbe4a
commit 34d62837fd
2 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/auth/idp/oauth2/provider.go
View File

@@ -113,6 +113,7 @@ type Provider struct {
RefreshToken string
oauth2Config Configuration
provHTTPClient *http.Client
stsHTTPClient *http.Client
}
// DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter
@@ -217,8 +218,8 @@ var defaultScopes = []string{"openid", "profile", "email"}
//
// We only support Authentication with the Authorization Code Flow - spec:
// https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error) {
ddoc, err := parseDiscoveryDoc(o[name].URL, httpClient)
func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, idpClient, stsClient *http.Client) (*Provider, error) {
ddoc, err := parseDiscoveryDoc(o[name].URL, idpClient)
if err != nil {
return nil, err
}
@@ -277,7 +278,9 @@ func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *htt
client.IDPName = name
client.UserInfo = o[name].Userinfo
client.provHTTPClient = httpClient
client.provHTTPClient = idpClient
client.stsHTTPClient = stsClient
return client, nil
}
@@ -357,7 +360,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
stsEndpoint := GetSTSEndpoint()
sts := credentials.New(&credentials.STSWebIdentity{
Client: client.provHTTPClient,
Client: client.stsHTTPClient,
STSEndpoint: stsEndpoint,
GetWebIDTokenExpiry: getWebTokenExpiry,
RoleARN: roleARN,