During SSO login, Console contacts MinIO server to generate new temporary credentials. When TLS is enabled, setting up a correct TLS certificate is something that needs to be done correctly by the user. However, recently, we started to skip the TLS verification when Console talks to MinIO server using a loopback address, but we missed the case of Console generating temporary credentials in case of IDP. This commit will get the configured MinIO server url to decide if the STS call needs to skip the TLS verification or not.
Co-authored-by: Anis Elleuch <anis@min.io>
This is a regression from 118cf97e1d when
env var support for passing console configuration from MinIO was
removed.
This change ensures that all MinIO nodes in a cluster are able to verify
state tokens generated by other nodes in the cluster. Without this, it
is necessary to use sticky sessions in a loadbalancer to ensure that
OIDC authorization code login flow steps for a client happens on the
same minio node.
Fixes https://github.com/minio/minio/issues/15527
* Allow multiple IDPs config to be passed via struct
* This removes support for ENV based IDP configuration for console
* Ensure default scopes are used if none are given
* Add display name field for provider config
To enable this feature you need `CONSOLE_IDP_CALLBACK_DYNAMIC=on`
```
export CONSOLE_IDP_URL=https://gitlab.com/.well-known/openid-configuration
export CONSOLE_IDP_CLIENT_ID="b0088c3836bb029393942f71ed7c8ac0add7f0856e6c86e67b0ff98f85c48658"
export CONSOLE_IDP_SECRET="ed72087b37624e89816ac27c1355420902045274edd7baad2ae29b1b0e8436fe"
export CONSOLE_IDP_SCOPES="openid,profile,email"
export CONSOLE_IDP_USERINFO="on"
export CONSOLE_IDP_CALLBACK_DYNAMIC=on
console srv
```
if this becomes a common practice, we should enable this as default in future.
This PR includes many fixes and refactors for oauth2 authentication and
login endpoints, ie:
- Invalid login returns `403` instead of `500` error
- Removed the session token from console/operator `user credentials
login`, `oauth flow login` and `change-password` api responses
- Removed session token from localStorage
- Added styles for oauth_callback page and display more descriptive
errors for debugging
- Success logins returns `204` instead of `200`
- Removed unused swagger apis and code from both, operator and console
projects
- Operator `Oauth2` login flow was not validating anything, now it does
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
- Update transport to use the same from Console in IDP Auth
- Validate provided idp URL
Co-authored-by: Harshavardhana <harsha@minio.io>
Signed-off-by: Ricardo Katz <rkatz@vmware.com>
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
Co-authored-by: Ricardo Katz <rkatz@vmware.com>
Co-authored-by: Harshavardhana <harsha@minio.io>
With support for GitLab OpenID service,
we need to make sure to support userInfo
endpoint for this MinIO server requires that
access_token is additionally sent along with
id_token as before to make sure we can fetch
additional claims from /userinfo endpoint.
This PR brings support on console for this
feature.
Refer https://github.com/minio/minio/pull/12469
Embedded console was ignoring values set by CONSOLE_PBKDF_PASSPHRASE and
CONSOLE_PBKDF_SALT for generating new session tokens, derivedKey is used
to encrypt/decrypt session tokens generated by console
Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
x/oauth2 always wants a context with a custom http client embedded
when performing various requests. Ensure that the custom http client is
passed when requesting for a token.
- enhance logging throughout the codebase
- all packages at pkg/ should never log
or perform log.Fatal() instead packages
should return errors through functions.
- simplified various user, group mapping
and removed redundant functions.
- deprecate older flags like --tls-certificate
--tls-key and --tls-ca as we do not use
them anymore, keep them for backward compatibility
for some time.
This PR adds support for oidc in mcs, to enable idp
authentication you need to pass the following environment variables and
restart mcs.
```
MCS_IDP_URL=""
MCS_IDP_CLIENT_ID=""
MCS_IDP_SECRET=""
MCS_IDP_CALLBACK=""
```
