Issue when loggin using OIDC

[Linuxine]

Hi,

I have a minio server running in Kubernetes, and as the recent versions of the console do not allow OIDC anymore, I was trying the setup a Console container to connect to minio - thanks for the fork, by the way !

I have created a deployment, a service and and ingress.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: minio-console
  namespace: minio
  labels:
    app: minio-console
spec:
  replicas: 1
  selector:
    matchLabels:
      app: minio-console
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: minio-console
      name: minio-console
    spec:
      containers:
        - name: minio-console
          image: ghcr.io/georgmangold/console
          imagePullPolicy: IfNotPresent
          env: 
          - name: CONSOLE_MINIO_SERVER
            value: https://yyy
          - name: CONSOLE_IDP_URL
            value: https://xxx/realms/azure-ad/.well-known/openid-configuration
          - name: CONSOLE_IDP_CLIENT_ID
            valueFrom:
              secretKeyRef:
                key: client-id
                name: minio-oidc-secret
          - name: CONSOLE_IDP_SECRET
            valueFrom:
              secretKeyRef:
                key: client-secret
                name: minio-oidc-secret
          - name: CONSOLE_IDP_CALLBACK
            value: https://zzz/oauth_callback
          - name: MINIO_IDENTITY_OPENID_CONFIG_URL
            value: https://xxx/realms/azure-ad/.well-known/openid-configuration
          - name: MINIO_IDENTITY_OPENID_CLIENT_ID
            valueFrom:
              secretKeyRef:
                key: client-id
                name: minio-oidc-secret
          - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
            valueFrom:
              secretKeyRef:
                key: client-secret
                name: minio-oidc-secret
          - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
            value: policy
          - name: MINIO_IDENTITY_OPENID_SCOPES
            value: openid,profile,email
          - name: MINIO_IDENTITY_OPENID_REDIRECT_URI
            value: https://zzz/oauth_callback
          ports:
          - containerPort: 9090
            name: http
            protocol: TCP

apiVersion: v1
kind: Service
metadata:
  name: minio-console-svc
  namespace: minio
  labels:
    app: minio-console
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app: minio-console
  sessionAffinity: None
  type: ClusterIP
  
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: issuer
  labels:
    app: minio-console
  name: minio-console
  namespace: minio
spec:
  ingressClassName: nginx
  rules:
  - host: zzz
    http:
      paths:
      - backend:
          service:
            name: minio-console-svc
            port:
              number: 9090
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - zzz
    secretName: minio-tls

On the console login page, I can successful login as the minio admin user.

I can use the "login with SSO (OIDC)" button and tologin correctly using my OIDC provider. I can see in my provider log that the session is validated. But after login, I am redirected to the login page again.... The web log indicate a 403 error when getting https://zzz/api/v1/session with the message "invalid session". I have no log in my minio pod, and in the minio-console pod I only get the following log:

│ minio-console-7f7f54fd8-6p764 ErrorWithContext:Access Denied.                                                                                                                                                  
│ minio-console-7f7f54fd8-6p764 %!(EXTRA *errors.errorString=invalid session)    

I am guessing there might be an issue with my OIDC setup ? In my minio I have a "console" user and a "consoleAdmin" policy with admin rights. In my OIDC provider (Keycloak with an Azure AD Realm, to make things simpler 😅 ) I have created a bunch of roles and mapper with this name, but I am not even sure this is an OIDC issue ? Is it a redirection issue ? My minio server is reachable at the url"yyy" and the console at the url "zzz", is it the right place to look for the session information ?

Any help would be appreciated ! 🙏

[georgmangold]

Can´t help you with Kubernetes, but you have the wrong value for redirection CONSOLE_IDP_CALLBACK, needs to be without /oauth_callback at the end https://zzz.

You only need to use CONSOLE_ over the MINIO_ variables.

After that you can troubleshoot permissions issues.
MINIO_IDENTITY_OPENID_CLAIM_NAME is only set on minio server side. If you have set it to policy, it would assume it gets a field policy with the value consoleAdmin, policy needs to be included the the scope as well. If you would leave it on name you need on minio a matching policy to the username from your OIDC provider.
But the console should tell you that, if you have the right redirect url.

[Linuxine]

Hi,

thanks a lot for the answer ! I tried indeed without the oauth_callback, without luck.

I guess part of my issue here is that my OIDC setting is quite complicated, and I don't have a good enough understanding of all the mapping that would need to be done between my minio instance, my keycloak instance and Entra instance to find the issue here. As there were only a few users that needed to use the Console, I fall back to creating them manually through the console, and I think I will keep it without OIDC.

Thanks again for the help !