Display errors during IDP authentication (#685)

pkg/auth/idp/oauth2/config.go

@@ -66,3 +66,13 @@ var defaultSaltForIdpHmac = utils.RandomCharString(64)
 func getSaltForIdpHmac() string {
 	return env.Get(ConsoleIdpHmacSalt, defaultSaltForIdpHmac)
 }
+
+// getIdpScopes return default scopes during the IDP login request
+func getIdpScopes() string {
+	return env.Get(ConsoleIDPScopes, "openid,profile,app_metadata,user_metadata,email")
+}
+
+// getIdpTokenExpiration return default token expiration for access token (in seconds)
+func getIdpTokenExpiration() string {
+	return env.Get(ConsoleIDPTokenExpiration, "3600")
+}

pkg/auth/idp/oauth2/const.go

@@ -25,4 +25,6 @@ const (
 	ConsoleIdpCallbackURL     = "CONSOLE_IDP_CALLBACK"
 	ConsoleIdpHmacPassphrase  = "CONSOLE_IDP_HMAC_PASSPHRASE"
 	ConsoleIdpHmacSalt        = "CONSOLE_IDP_HMAC_SALT"
+	ConsoleIDPScopes          = "CONSOLE_IDP_SCOPES"
+	ConsoleIDPTokenExpiration = "CONSOLE_IDP_TOKEN_EXPIRATION"
 )

pkg/auth/idp/oauth2/provider.go

@@ -25,6 +25,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strconv"
 	"strings"
 	"time"
 
@@ -115,12 +116,14 @@ func NewOauth2ProviderClient(ctx context.Context, scopes []string, httpClient *h
 	if err != nil {
 		return nil, err
 	}
+	// below verification should not be necessary if the user configure exactly the
+	// scopes he need, will be removed on a future release
 	if u.Host == "google.com" {
 		scopes = []string{oidc.ScopeOpenID}
 	}
-	// If provided scopes are empty we use a default list
+	// If provided scopes are empty we use a default list or the user configured list
 	if len(scopes) == 0 {
-		scopes = []string{oidc.ScopeOpenID, "profile", "app_metadata", "user_metadata", "email"}
+		scopes = strings.Split(getIdpScopes(), ",")
 	}
 	client := new(Provider)
 	client.oauth2Config = &xoauth2.Config{
@@ -177,9 +180,22 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state string)
 			return nil, errors.New("invalid token")
 		}
 
+		// expiration configured in the token itself
+		expiration := int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds())
+
+		// check if user configured a hardcoded expiration for console via env variables
+		// and override the incoming expiration
+		userConfiguredExpiration := getIdpTokenExpiration()
+		if userConfiguredExpiration != "" {
+			expiration, _ = strconv.Atoi(userConfiguredExpiration)
+		}
+		idToken := oauth2Token.Extra("id_token")
+		if idToken == nil {
+			return nil, errors.New("returned token is missing id_token claim")
+		}
 		return &credentials.WebIdentityToken{
-			Token:  oauth2Token.Extra("id_token").(string),
-			Expiry: int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds()),
+			Token:  idToken.(string),
+			Expiry: expiration,
 		}, nil
 	}
 	stsEndpoint := GetSTSEndpoint()

portal-ui/build/asset-manifest.json

@@ -1,25 +1,25 @@
 {
   "files": {
     "main.css": "/static/css/main.a19f3d53.chunk.css",
-    "main.js": "/static/js/main.92bfa60e.chunk.js",
-    "main.js.map": "/static/js/main.92bfa60e.chunk.js.map",
+    "main.js": "/static/js/main.2368c861.chunk.js",
+    "main.js.map": "/static/js/main.2368c861.chunk.js.map",
     "runtime-main.js": "/static/js/runtime-main.f48e99e5.js",
     "runtime-main.js.map": "/static/js/runtime-main.f48e99e5.js.map",
     "static/css/2.f324abd6.chunk.css": "/static/css/2.f324abd6.chunk.css",
-    "static/js/2.26e254ca.chunk.js": "/static/js/2.26e254ca.chunk.js",
-    "static/js/2.26e254ca.chunk.js.map": "/static/js/2.26e254ca.chunk.js.map",
+    "static/js/2.e01324bd.chunk.js": "/static/js/2.e01324bd.chunk.js",
+    "static/js/2.e01324bd.chunk.js.map": "/static/js/2.e01324bd.chunk.js.map",
     "index.html": "/index.html",
     "static/css/2.f324abd6.chunk.css.map": "/static/css/2.f324abd6.chunk.css.map",
     "static/css/main.a19f3d53.chunk.css.map": "/static/css/main.a19f3d53.chunk.css.map",
-    "static/js/2.26e254ca.chunk.js.LICENSE.txt": "/static/js/2.26e254ca.chunk.js.LICENSE.txt",
+    "static/js/2.e01324bd.chunk.js.LICENSE.txt": "/static/js/2.e01324bd.chunk.js.LICENSE.txt",
     "static/media/minio_console_logo.0837460e.svg": "/static/media/minio_console_logo.0837460e.svg",
     "static/media/minio_operator_logo.1312b7c9.svg": "/static/media/minio_operator_logo.1312b7c9.svg"
   },
   "entrypoints": [
     "static/js/runtime-main.f48e99e5.js",
     "static/css/2.f324abd6.chunk.css",
-    "static/js/2.26e254ca.chunk.js",
+    "static/js/2.e01324bd.chunk.js",
     "static/css/main.a19f3d53.chunk.css",
-    "static/js/main.92bfa60e.chunk.js"
+    "static/js/main.2368c861.chunk.js"
   ]
 }

portal-ui/build/index.html

@@ -1 +1 @@
-<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="MinIO Console"/><link href="https://fonts.googleapis.com/css2?family=Lato:wght@400;500;700;900&display=swap" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/manifest.json"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="/static/css/2.f324abd6.chunk.css" rel="stylesheet"><link href="/static/css/main.a19f3d53.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="/";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="/static/js/2.26e254ca.chunk.js"></script><script src="/static/js/main.92bfa60e.chunk.js"></script></body></html>
+<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="MinIO Console"/><link href="https://fonts.googleapis.com/css2?family=Lato:wght@400;500;700;900&display=swap" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/manifest.json"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="/static/css/2.f324abd6.chunk.css" rel="stylesheet"><link href="/static/css/main.a19f3d53.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="/";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="/static/js/2.e01324bd.chunk.js"></script><script src="/static/js/main.2368c861.chunk.js"></script></body></html>

portal-ui/src/screens/LoginPage/LoginCallback.tsx

@@ -14,15 +14,25 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import React, { FC, useEffect } from "react"; // eslint-disable-line @typescript-eslint/no-unused-vars
+import React, { FC, useEffect, useState } from "react"; // eslint-disable-line @typescript-eslint/no-unused-vars
 import { RouteComponentProps } from "react-router";
 import storage from "local-storage-fallback";
 import api from "../../common/api";
 
 const LoginCallback: FC<RouteComponentProps> = ({ location }) => {
+  const [error, setError] = useState<string>("");
+  const [errorDescription, setErrorDescription] = useState<string>("");
   useEffect(() => {
     const code = (location.search.match(/code=([^&]+)/) || [])[1];
     const state = (location.search.match(/state=([^&]+)/) || [])[1];
+    const error = (location.search.match(/error=([^&]+)/) || [])[1];
+    const errorDescription = (location.search.match(
+      /error_description=([^&]+)/
+    ) || [])[1];
+    if (error != undefined || errorDescription != undefined) {
+      setError(error);
+      setErrorDescription(errorDescription);
+    } else {
       api
         .invoke("POST", "/api/v1/login/oauth2/auth", { code, state })
         .then((res: any) => {
@@ -37,8 +47,15 @@ const LoginCallback: FC<RouteComponentProps> = ({ location }) => {
           window.location.href = "/login";
         });
       // eslint-disable-next-line react-hooks/exhaustive-deps
+    }
   }, []);
-  return null;
+  return error != "" || errorDescription != "" ? (
+    <div>
+      <h2>IDP Error:</h2>
+      <p>{error}</p>
+      <p>{errorDescription}</p>
+    </div>
+  ) : null;
 };
 
 export default LoginCallback;