Fix oauth state generation for OIDC login (#2333)

This is a regression from 118cf97e1d when env var support for passing console configuration from MinIO was removed. This change ensures that all MinIO nodes in a cluster are able to verify state tokens generated by other nodes in the cluster. Without this, it is necessary to use sticky sessions in a loadbalancer to ensure that OIDC authorization code login flow steps for a client happens on the same minio node. Fixes https://github.com/minio/minio/issues/15527
2022-09-23 08:30:45 -07:00
parent bebe860903
commit fc95ab8658
6 changed files with 48 additions and 21 deletions
--- a/operatorapi/login.go
+++ b/operatorapi/login.go
@@ -111,7 +111,10 @@ func getLoginDetailsResponse(params authApi.LoginDetailParams) (*models.LoginDet
 			return nil, restapi.ErrorWithContext(ctx, err)
 		}
 		// Validate user against IDP
-		identityProvider := &auth.IdentityProvider{Client: oauth2Client}
+		identityProvider := &auth.IdentityProvider{
+			KeyFunc: oauth2.DefaultDerivedKey,
+			Client:  oauth2Client,
+		}
 		redirectURL = append(redirectURL, identityProvider.GenerateLoginURL())
 	}

@@ -146,7 +149,10 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams) (*models.L
 			return nil, restapi.ErrorWithContext(ctx, err)
 		}
 		// initialize new identity provider
-		identityProvider := auth.IdentityProvider{Client: oauth2Client}
+		identityProvider := auth.IdentityProvider{
+			KeyFunc: oauth2.DefaultDerivedKey,
+			Client:  oauth2Client,
+		}
 		// Validate user against IDP
 		_, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, *lr.State)
 		if err != nil {