diff --git a/cmd/config/identity/openid/help.go b/cmd/config/identity/openid/help.go index 9bb249c75..3a33a2839 100644 --- a/cmd/config/identity/openid/help.go +++ b/cmd/config/identity/openid/help.go @@ -44,6 +44,12 @@ var ( Optional: true, Type: "string", }, + config.HelpKV{ + Key: Scopes, + Description: `Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"`, + Optional: true, + Type: "csv", + }, config.HelpKV{ Key: config.Comment, Description: config.DefaultComment, diff --git a/cmd/config/identity/openid/jwt.go b/cmd/config/identity/openid/jwt.go index b652d422a..c247ad1cf 100644 --- a/cmd/config/identity/openid/jwt.go +++ b/cmd/config/identity/openid/jwt.go @@ -24,6 +24,7 @@ import ( "io" "net/http" "strconv" + "strings" "time" jwtgo "github.com/dgrijalva/jwt-go" @@ -217,12 +218,14 @@ const ( ClaimName = "claim_name" ClaimPrefix = "claim_prefix" ClientID = "client_id" + Scopes = "scopes" EnvIdentityOpenIDClientID = "MINIO_IDENTITY_OPENID_CLIENT_ID" EnvIdentityOpenIDJWKSURL = "MINIO_IDENTITY_OPENID_JWKS_URL" EnvIdentityOpenIDURL = "MINIO_IDENTITY_OPENID_CONFIG_URL" EnvIdentityOpenIDClaimName = "MINIO_IDENTITY_OPENID_CLAIM_NAME" EnvIdentityOpenIDClaimPrefix = "MINIO_IDENTITY_OPENID_CLAIM_PREFIX" + EnvIdentityOpenIDScopes = "MINIO_IDENTITY_OPENID_SCOPES" ) // DiscoveryDoc - parses the output from openid-configuration @@ -287,6 +290,10 @@ var ( Key: ClaimPrefix, Value: "", }, + config.KV{ + Key: Scopes, + Value: "", + }, config.KV{ Key: JwksURL, Value: "", @@ -331,6 +338,19 @@ func LookupConfig(kvs config.KVS, transport *http.Transport, closeRespFn func(io } } + if scopeList := env.Get(EnvIdentityOpenIDScopes, kvs.Get(Scopes)); scopeList != "" { + var scopes []string + for _, scope := range strings.Split(scopeList, ",") { + scope = strings.TrimSpace(scope) + if scope == "" { + return c, config.Errorf("empty scope value is not allowed '%s', please refer to our documentation", scopeList) + } + scopes = append(scopes, scope) + } + // Replace the discovery document scopes by client customized scopes. + c.DiscoveryDoc.ScopesSupported = scopes + } + if c.ClaimName == "" { c.ClaimName = iampolicy.PolicyName } diff --git a/docs/sts/README.md b/docs/sts/README.md index 10953c44e..8a8a7c0e1 100644 --- a/docs/sts/README.md +++ b/docs/sts/README.md @@ -13,8 +13,8 @@ Following are advantages for using temporary credentials: ## Identity Federation |AuthN | Description | | :---------------------- | ------------------------------------------ | -| [**Client grants**](https://github.com/minio/minio/blob/master/docs/sts/client-grants.md) | Let applications request `client_grants` using any well-known third party identity provider such as KeyCloak, WSO2. This is known as the client grants approach to temporary access. Using this approach helps clients keep MinIO credentials to be secured. MinIO STS supports client grants, tested against identity providers such as WSO2, KeyCloak. | -| [**WebIdentity**](https://github.com/minio/minio/blob/master/docs/sts/web-identity.md) | Let users request temporary credentials using any OpenID(OIDC) compatible web identity providers such as Facebook, Google etc. | +| [**Client grants**](https://github.com/minio/minio/blob/master/docs/sts/client-grants.md) | Let applications request `client_grants` using any well-known third party identity provider such as KeyCloak, Okta. This is known as the client grants approach to temporary access. Using this approach helps clients keep MinIO credentials to be secured. MinIO STS supports client grants, tested against identity providers such as KeyCloak, Okta. | +| [**WebIdentity**](https://github.com/minio/minio/blob/master/docs/sts/web-identity.md) | Let users request temporary credentials using any OpenID(OIDC) compatible web identity providers such as KeyCloak, Facebook, Google etc. | | [**AssumeRole**](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md) | Let MinIO users request temporary credentials using user access and secret keys. | | [**AD/LDAP**](https://github.com/minio/minio/blob/master/docs/sts/ldap.md) | Let AD/LDAP users request temporary credentials using AD/LDAP username and password. | @@ -24,22 +24,21 @@ In this document we will explain in detail on how to configure all the prerequis > NOTE: If you are interested in AssumeRole API only, skip to [here](https://github.com/minio/minio/blob/master/docs/sts/assume-role.md) ### 1. Prerequisites -- [Configuring wso2](https://github.com/minio/minio/blob/master/docs/sts/wso2.md) -- [Configuring opa (optional)](https://github.com/minio/minio/blob/master/docs/sts/opa.md) +- [Configuring keycloak](https://github.com/minio/minio/blob/master/docs/sts/keycloak.md) - [Configuring etcd (optional needed only in gateway or federation mode)](https://github.com/minio/minio/blob/master/docs/sts/etcd.md) -### 2. Setup MinIO with WSO2 +### 2. Setup MinIO with Keycloak Make sure we have followed the previous step and configured each software independently, once done we can now proceed to use MinIO STS API and MinIO server to use these credentials to perform object API operations. ``` export MINIO_ACCESS_KEY=minio export MINIO_SECRET_KEY=minio123 -export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration +export MINIO_IDENTITY_OPENID_CONFIG_URL=http://localhost:8080/auth/realms/demo/.well-known/openid-configuration export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a" minio server /mnt/data ``` -### 3. Setup MinIO Gateway with WSO2, ETCD +### 3. Setup MinIO Gateway with Keycloak and Etcd Make sure we have followed the previous step and configured each software independently, once done we can now proceed to use MinIO STS API and MinIO gateway to use these credentials to perform object API operations. > NOTE: MinIO gateway requires etcd to be configured to use STS API. @@ -47,14 +46,14 @@ Make sure we have followed the previous step and configured each software indepe ``` export MINIO_ACCESS_KEY=aws_access_key export MINIO_SECRET_KEY=aws_secret_key -export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration +export MINIO_IDENTITY_OPENID_CONFIG_URL=http://localhost:8080/auth/realms/demo/.well-known/openid-configuration export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a" export MINIO_ETCD_ENDPOINTS=http://localhost:2379 minio gateway s3 ``` ### 4. Test using client-grants.go -On another terminal run `client-grants.go` a sample client application which obtains JWT access tokens from an identity provider, in our case its WSO2. Uses the returned access token response to get new temporary credentials from the MinIO server using the STS API call `AssumeRoleWithClientGrants`. +On another terminal run `client-grants.go` a sample client application which obtains JWT access tokens from an identity provider, in our case its Keycloak. Uses the returned access token response to get new temporary credentials from the MinIO server using the STS API call `AssumeRoleWithClientGrants`. ``` go run client-grants.go -cid PoEgXP6uVO45IsENRngDXj5Au5Ya -csec eKsw6z8CtOJVBtrOWvhRWL4TUCga diff --git a/docs/sts/client-grants.md b/docs/sts/client-grants.md index 08e5738cf..d944f2ee7 100644 --- a/docs/sts/client-grants.md +++ b/docs/sts/client-grants.md @@ -16,7 +16,7 @@ ## Introduction -Returns a set of temporary security credentials for applications/clients who have been authenticated through client credential grants provided by identity provider. Example providers include WSO2, KeyCloak etc. +Returns a set of temporary security credentials for applications/clients who have been authenticated through client credential grants provided by identity provider. Example providers include KeyCloak, Okta etc. Calling AssumeRoleWithClientGrants does not require the use of MinIO default credentials. Therefore, client application can be distributed that requests temporary security credentials without including MinIO default credentials. Instead, the identity of the caller is validated by using a JWT access token from the identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations. @@ -93,20 +93,13 @@ http://minio.cluster:9000?Action=AssumeRoleWithClientGrants&DurationSeconds=3600 ``` export MINIO_ACCESS_KEY=minio export MINIO_SECRET_KEY=minio123 -export MINIO_IDENTITY_OPENID_CONFIG_URL=https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration -export MINIO_IDENTITY_OPENID_CLIENT_ID="7a243d56-1081-11ea-b1b9-0bad8bed6ca0" -export MINIO_POLICY_OPA_URL=http://localhost:8181/v1/data/httpapi/authz +export MINIO_IDENTITY_OPENID_CONFIG_URL=http://localhost:8080/auth/realms/demo/.well-known/openid-configuration +export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a" minio server /mnt/export - -mc admin config get myminio identity_openid -identity_openid config_url="https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration" - -mc admin config get myminio policy_opa -policy_opa url="http://localhost:8181/v1/data/httpapi/authz" auth_token= ``` Testing with an example -> Obtaining client ID and secrets follow [WSO2 configuring documentation](https://github.com/minio/minio/blob/master/docs/sts/wso2.md) +> Obtaining client ID and secrets follow [Keycloak configuring documentation](https://github.com/minio/minio/blob/master/docs/sts/keycloak.md) ``` $ go run client-grants.go -cid PoEgXP6uVO45IsENRngDXj5Au5Ya -csec eKsw6z8CtOJVBtrOWvhRWL4TUCga diff --git a/docs/sts/etcd.md b/docs/sts/etcd.md index a0c9703df..1f78a2ef8 100644 --- a/docs/sts/etcd.md +++ b/docs/sts/etcd.md @@ -41,7 +41,7 @@ minio server /data NOTE: If `etcd` is configured with `Client-to-server authentication with HTTPS client certificates` then you need to use additional envs such as `MINIO_ETCD_CLIENT_CERT` pointing to path to `etcd-client.crt` and `MINIO_ETCD_CLIENT_CERT_KEY` path to `etcd-client.key` . ### 4. Test with MinIO STS API -Assuming that you have configured MinIO server to support STS API by following the doc [MinIO STS Quickstart Guide](https://docs.min.io/docs/minio-sts-quickstart-guide) and once you have obtained the JWT from WSO2 as mentioned in [WSO2 Quickstart Guide](https://github.com/minio/minio/blob/master/docs/sts/wso2.md). +Assuming that you have configured MinIO server to support STS API by following the doc [MinIO STS Quickstart Guide](https://docs.min.io/docs/minio-sts-quickstart-guide) and once you have obtained the JWT from KeyCloak as mentioned in [KeyCloak Configuration Guide](https://github.com/minio/minio/blob/master/docs/sts/keycloak.md). ``` go run client-grants.go -cid PoEgXP6uVO45IsENRngDXj5Au5Ya -csec eKsw6z8CtOJVBtrOWvhRWL4TUCga diff --git a/docs/sts/keycloak.md b/docs/sts/keycloak.md index 372de6327..b66ab7423 100644 --- a/docs/sts/keycloak.md +++ b/docs/sts/keycloak.md @@ -21,6 +21,38 @@ $ export MINIO_SECRET_KEY=minio123 $ minio server /mnt/export ``` +Here are all the available options to configure OpenID connect +``` +mc admin config set myminio/ identity_openid + +KEY: +identity_openid enable OpenID SSO support + +ARGS: +config_url* (url) openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration" +client_id (string) unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com" +claim_name (string) JWT canned policy claim name, defaults to "policy" +claim_prefix (string) JWT claim namespace prefix e.g. "customer1/" +scopes (csv) Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin" +comment (sentence) optionally add a comment to this setting +``` + +and for ENV based options +``` +mc admin config set myminio/ identity_openid --env + +KEY: +identity_openid enable OpenID SSO support + +ARGS: +MINIO_IDENTITY_OPENID_CONFIG_URL* (url) openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration" +MINIO_IDENTITY_OPENID_CLIENT_ID (string) unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com" +MINIO_IDENTITY_OPENID_CLAIM_NAME (string) JWT canned policy claim name, defaults to "policy" +MINIO_IDENTITY_OPENID_CLAIM_PREFIX (string) JWT claim namespace prefix e.g. "customer1/" +MINIO_IDENTITY_OPENID_SCOPES (csv) Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin" +MINIO_IDENTITY_OPENID_COMMENT (sentence) optionally add a comment to this setting +``` + Set `identity_openid` config with `config_url`, `client_id` and restart MinIO ``` ~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" client_id="account" diff --git a/docs/sts/web-identity.md b/docs/sts/web-identity.md index 6c25f308f..1050c88da 100644 --- a/docs/sts/web-identity.md +++ b/docs/sts/web-identity.md @@ -93,8 +93,8 @@ http://minio.cluster:9000?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600& ``` export MINIO_ACCESS_KEY=minio export MINIO_SECRET_KEY=minio123 -export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a" export MINIO_IDENTITY_OPENID_CONFIG_URL=https://accounts.google.com/.well-known/openid-configuration +export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a" minio server /mnt/export ```