Updates the usage documentation of OpenID custom scopes (#9902)

master
Ivan Martinez-Ortiz 4 years ago committed by GitHub
parent f4b2ed2a92
commit 969b2d2110
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 3
      docs/sts/keycloak.md
  2. 10
      docs/sts/web-identity.go
  3. 2
      docs/sts/web-identity.md

@ -57,6 +57,7 @@ Set `identity_openid` config with `config_url`, `client_id` and restart MinIO
``` ```
~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account" ~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account"
``` ```
> Note: You can configure the `scopes` parameter to restrict the OpenID scopes requested by minio to the IdP, for example, `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak
Once successfully set restart the MinIO instance. Once successfully set restart the MinIO instance.
``` ```
@ -87,6 +88,8 @@ This will open the login page of keycloak, upon successful login, STS credential
} }
``` ```
> Note: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.
These credentials can now be used to perform MinIO API operations. These credentials can now be used to perform MinIO API operations.
## 5. Using MinIO Browser ## 5. Using MinIO Browser

@ -30,6 +30,7 @@ import (
"log" "log"
"net/http" "net/http"
"net/url" "net/url"
"strings"
"time" "time"
"golang.org/x/oauth2" "golang.org/x/oauth2"
@ -79,6 +80,7 @@ var (
configEndpoint string configEndpoint string
clientID string clientID string
clientSec string clientSec string
clientScopes string
port int port int
) )
@ -131,6 +133,7 @@ func init() {
"OpenID discovery document endpoint") "OpenID discovery document endpoint")
flag.StringVar(&clientID, "cid", "", "Client ID") flag.StringVar(&clientID, "cid", "", "Client ID")
flag.StringVar(&clientSec, "csec", "", "Client Secret") flag.StringVar(&clientSec, "csec", "", "Client Secret")
flag.StringVar(&clientScopes, "cscopes", "openid", "Client Scopes")
flag.IntVar(&port, "port", 8080, "Port") flag.IntVar(&port, "port", 8080, "Port")
} }
@ -148,6 +151,11 @@ func main() {
return return
} }
scopes := ddoc.ScopesSupported
if clientScopes != "" {
scopes = strings.Split(clientScopes, ",");
}
ctx := context.Background() ctx := context.Background()
config := oauth2.Config{ config := oauth2.Config{
@ -158,7 +166,7 @@ func main() {
TokenURL: ddoc.TokenEndpoint, TokenURL: ddoc.TokenEndpoint,
}, },
RedirectURL: fmt.Sprintf("http://localhost:%d/oauth2/callback", port), RedirectURL: fmt.Sprintf("http://localhost:%d/oauth2/callback", port),
Scopes: ddoc.ScopesSupported, Scopes: scopes,
} }
state := randomState() state := randomState()

@ -95,6 +95,8 @@ export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123 export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid-configuration export MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid-configuration
export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a" export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
# Optional: Allow to specify the requested OpenID scopes (OpenID only requires the `openid` scope)
#export MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email"
minio server /mnt/export minio server /mnt/export
``` ```

Loading…
Cancel
Save