Fix oauth state generation for OIDC login (#2333)

This is a regression from 118cf97e1d when env var support for passing console configuration from MinIO was removed. This change ensures that all MinIO nodes in a cluster are able to verify state tokens generated by other nodes in the cluster. Without this, it is necessary to use sticky sessions in a loadbalancer to ensure that OIDC authorization code login flow steps for a client happens on the same minio node. Fixes https://github.com/minio/minio/issues/15527
2022-09-23 08:30:45 -07:00
parent bebe860903
commit fc95ab8658
6 changed files with 48 additions and 21 deletions
--- a/restapi/user_login.go
+++ b/restapi/user_login.go
@@ -162,7 +162,10 @@ func getLoginDetailsResponse(params authApi.LoginDetailParams, openIDProviders o
 				return nil, ErrorWithContext(ctx, err, ErrOauth2Provider)
 			}
 			// Validate user against IDP
-			identityProvider := &auth.IdentityProvider{Client: oauth2Client}
+			identityProvider := &auth.IdentityProvider{
+				KeyFunc: provider.GetStateKeyFunc(),
+				Client:  oauth2Client,
+			}
 			redirectURL = append(redirectURL, identityProvider.GenerateLoginURL())
 			if provider.DisplayName != "" {
 				displayNames = append(displayNames, provider.DisplayName)
@@ -201,7 +204,10 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProv
 			return nil, ErrorWithContext(ctx, err)
 		}
 		// initialize new identity provider
-		identityProvider := auth.IdentityProvider{Client: oauth2Client}
+		identityProvider := auth.IdentityProvider{
+			KeyFunc: openIDProviders[idpName].GetStateKeyFunc(),
+			Client:  oauth2Client,
+		}
 		// Validate user against IDP
 		userCredentials, err := verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, *lr.State)
 		if err != nil {