Trust STS IDP connection when the url is localhost (#2603)

During SSO login, Console contacts MinIO server to generate new temporary credentials. When TLS is enabled, setting up a correct TLS certificate is something that needs to be done correctly by the user. However, recently, we started to skip the TLS verification when Console talks to MinIO server using a loopback address, but we missed the case of Console generating temporary credentials in case of IDP. This commit will get the configured MinIO server url to decide if the STS call needs to skip the TLS verification or not. Co-authored-by: Anis Elleuch <anis@min.io>
2023-01-27 23:26:30 +01:00
parent ed281bbe4a
commit 34d62837fd
2 changed files with 9 additions and 6 deletions
--- a/pkg/auth/idp/oauth2/provider.go
+++ b/pkg/auth/idp/oauth2/provider.go
@@ -113,6 +113,7 @@ type Provider struct {
 	RefreshToken   string
 	oauth2Config   Configuration
 	provHTTPClient *http.Client
 	stsHTTPClient  *http.Client
 }
 // DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter
@@ -217,8 +218,8 @@ var defaultScopes = []string{"openid", "profile", "email"}
 //
 // We only support Authentication with the Authorization Code Flow - spec:
 // https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
-func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error) {
+func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *http.Request, idpClient, stsClient *http.Client) (*Provider, error) {
-	ddoc, err := parseDiscoveryDoc(o[name].URL, httpClient)
+	ddoc, err := parseDiscoveryDoc(o[name].URL, idpClient)
 	if err != nil {
 		return nil, err
 	}
@@ -277,7 +278,9 @@ func (o OpenIDPCfg) NewOauth2ProviderClient(name string, scopes []string, r *htt
 	client.IDPName = name
 	client.UserInfo = o[name].Userinfo
-	client.provHTTPClient = httpClient
+
 	client.provHTTPClient = idpClient
 	client.stsHTTPClient = stsClient
 	return client, nil
 }
@@ -357,7 +360,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
 	stsEndpoint := GetSTSEndpoint()
 	sts := credentials.New(&credentials.STSWebIdentity{
-		Client:              client.provHTTPClient,
+		Client:              client.stsHTTPClient,
 		STSEndpoint:         stsEndpoint,
 		GetWebIDTokenExpiry: getWebTokenExpiry,
 		RoleARN:             roleARN,
--- a/restapi/user_login.go
+++ b/restapi/user_login.go
@@ -176,7 +176,7 @@ func getLoginDetailsResponse(params authApi.LoginDetailParams, openIDProviders o
 		loginStrategy = models.LoginDetailsLoginStrategyRedirect
 		for name, provider := range openIDProviders {
 			// initialize new oauth2 client
-			oauth2Client, err := openIDProviders.NewOauth2ProviderClient(name, nil, r, GetConsoleHTTPClient(""))
+			oauth2Client, err := openIDProviders.NewOauth2ProviderClient(name, nil, r, GetConsoleHTTPClient(""), GetConsoleHTTPClient(getMinIOServer()))
 			if err != nil {
 				return nil, ErrorWithContext(ctx, err, ErrOauth2Provider)
 			}
@@ -244,7 +244,7 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv
 		IDPName := requestItems.IDPName
 		state := requestItems.State
 		providerCfg := openIDProviders[IDPName]
-		oauth2Client, err := openIDProviders.NewOauth2ProviderClient(IDPName, nil, r, GetConsoleHTTPClient(""))
+		oauth2Client, err := openIDProviders.NewOauth2ProviderClient(IDPName, nil, r, GetConsoleHTTPClient(""), GetConsoleHTTPClient(getMinIOServer()))
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}