Updates the usage documentation of OpenID custom scopes (#9902)

master
Ivan Martinez-Ortiz 5 years ago committed by GitHub
parent f4b2ed2a92
commit 969b2d2110
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 3
      docs/sts/keycloak.md
  2. 10
      docs/sts/web-identity.go
  3. 2
      docs/sts/web-identity.md

@ -57,6 +57,7 @@ Set `identity_openid` config with `config_url`, `client_id` and restart MinIO
```
~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account"
```
> Note: You can configure the `scopes` parameter to restrict the OpenID scopes requested by minio to the IdP, for example, `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak
Once successfully set restart the MinIO instance.
```
@ -87,6 +88,8 @@ This will open the login page of keycloak, upon successful login, STS credential
}
```
> Note: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.
These credentials can now be used to perform MinIO API operations.
## 5. Using MinIO Browser

@ -30,6 +30,7 @@ import (
"log"
"net/http"
"net/url"
"strings"
"time"
"golang.org/x/oauth2"
@ -79,6 +80,7 @@ var (
configEndpoint string
clientID string
clientSec string
clientScopes string
port int
)
@ -131,6 +133,7 @@ func init() {
"OpenID discovery document endpoint")
flag.StringVar(&clientID, "cid", "", "Client ID")
flag.StringVar(&clientSec, "csec", "", "Client Secret")
flag.StringVar(&clientScopes, "cscopes", "openid", "Client Scopes")
flag.IntVar(&port, "port", 8080, "Port")
}
@ -148,6 +151,11 @@ func main() {
return
}
scopes := ddoc.ScopesSupported
if clientScopes != "" {
scopes = strings.Split(clientScopes, ",");
}
ctx := context.Background()
config := oauth2.Config{
@ -158,7 +166,7 @@ func main() {
TokenURL: ddoc.TokenEndpoint,
},
RedirectURL: fmt.Sprintf("http://localhost:%d/oauth2/callback", port),
Scopes: ddoc.ScopesSupported,
Scopes: scopes,
}
state := randomState()

@ -95,6 +95,8 @@ export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid-configuration
export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
# Optional: Allow to specify the requested OpenID scopes (OpenID only requires the `openid` scope)
#export MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email"
minio server /mnt/export
```

Loading…
Cancel
Save