During SSO login, Console contacts MinIO server to generate new temporary credentials. When TLS is enabled, setting up a correct TLS certificate is something that needs to be done correctly by the user. However, recently, we started to skip the TLS verification when Console talks to MinIO server using a loopback address, but we missed the case of Console generating temporary credentials in case of IDP. This commit will get the configured MinIO server url to decide if the STS call needs to skip the TLS verification or not.
Co-authored-by: Anis Elleuch <anis@min.io>
This is a regression from 118cf97e1d when
env var support for passing console configuration from MinIO was
removed.
This change ensures that all MinIO nodes in a cluster are able to verify
state tokens generated by other nodes in the cluster. Without this, it
is necessary to use sticky sessions in a loadbalancer to ensure that
OIDC authorization code login flow steps for a client happens on the
same minio node.
Fixes https://github.com/minio/minio/issues/15527
* Allow multiple IDPs config to be passed via struct
* This removes support for ENV based IDP configuration for console
* Ensure default scopes are used if none are given
* Add display name field for provider config
- Added flag CONSOLE_OBJECT_BROWSER_ONLY=on to trigger between console mode & Object Browser only
- Hidden not necessary buttons for object browse
- STS Login
Signed-off-by: Benjamin Perez <benjamin@bexsoft.net>
Signed-off-by: Daniel Valdivia <18384552+dvaldivia@users.noreply.github.com>
- remove the use of encodeURI and encodeURIComponent functions and
instead use encodeFileName and decodeFileName functions
- support for users with special characters
- support for users with special characters
- support for users with special characters
- fixed incorrectly group list display for policies
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
Similar to MinIO now it's possible to configure webhooks to log all
triggered errors and incomming requests via env variables:
```
CONSOLE_LOGGER_WEBHOOK_ENABLE_<ID>
CONSOLE_LOGGER_WEBHOOK_ENDPOINT_<ID>
CONSOLE_LOGGER_WEBHOOK_AUTH_TOKEN_<ID>
CONSOLE_LOGGER_WEBHOOK_CLIENT_CERT_<ID>
CONSOLE_LOGGER_WEBHOOK_CLIENT_KEY_<ID>
CONSOLE_LOGGER_WEBHOOK_QUEUE_SIZE_<ID>
CONSOLE_AUDIT_WEBHOOK_ENABLE_<ID>
CONSOLE_AUDIT_WEBHOOK_ENDPOINT_<ID>
CONSOLE_AUDIT_WEBHOOK_AUTH_TOKEN_<ID>
CONSOLE_AUDIT_WEBHOOK_CLIENT_CERT_<ID>
CONSOLE_AUDIT_WEBHOOK_QUEUE_SIZE_<ID>
```
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
- Removed old registration flow
- Add support for new online and offline cluster registration flow
- Support login accounts with mfa enabled
- Registration screens
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
- Some menu options were not showing even if the user has access to
perform the operations (IAM Policies)
- Deleted unecessary backend endpoints.go logic, instead using
SecureComponent to validate application routes and Menu options
rendering
- All the logic related to routes and permissions is now in the
permissions.ts file
- Added SecureComponent to List Users page
- Separated Menu options and routing logic for AdminConsole and
OperatorConsole
- Tools are hidden if user don't have access to them or MinIO is running
in fs mode (heal, audit log, etc
- Hide change-password button if user don't have access
- Hide create user button if user don't have access
- fixed some bugs when ldap/oidc is enabled
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
To enable this feature you need `CONSOLE_IDP_CALLBACK_DYNAMIC=on`
```
export CONSOLE_IDP_URL=https://gitlab.com/.well-known/openid-configuration
export CONSOLE_IDP_CLIENT_ID="b0088c3836bb029393942f71ed7c8ac0add7f0856e6c86e67b0ff98f85c48658"
export CONSOLE_IDP_SECRET="ed72087b37624e89816ac27c1355420902045274edd7baad2ae29b1b0e8436fe"
export CONSOLE_IDP_SCOPES="openid,profile,email"
export CONSOLE_IDP_USERINFO="on"
export CONSOLE_IDP_CALLBACK_DYNAMIC=on
console srv
```
if this becomes a common practice, we should enable this as default in future.
This PR includes many fixes and refactors for oauth2 authentication and
login endpoints, ie:
- Invalid login returns `403` instead of `500` error
- Removed the session token from console/operator `user credentials
login`, `oauth flow login` and `change-password` api responses
- Removed session token from localStorage
- Added styles for oauth_callback page and display more descriptive
errors for debugging
- Success logins returns `204` instead of `200`
- Removed unused swagger apis and code from both, operator and console
projects
- Operator `Oauth2` login flow was not validating anything, now it does
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
- `CONSOLE_STS_DURATION_IN_SECONDS` env renamed to `CONSOLE_STS_DURATION` to support more time formats
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
