Suport to login using temporary credentials from Security Token Service (STS API) using OpenID Connect web identity #13804
Description
I considered writing this on #13377 or #13381, however these are mostly related to AWS specifically which isn't quite what I am looking for. I am currently using Wasabi for S3 and looking for a way to authenticate users from an IdP (SSO).
Wasabi supports AssumeRole, however to use that directly I would need to create users on Wasabi and manage their privileges there; and I would rather manage user accounts and their privileges from our IdP.
My goals are:
- Avoid users having to use anything other than Cyberduck. Users should be able to install a profile and be prompted to login.
- Configuring privileges (roles) is handled outside of Cyberduck.
- Should be compatible with anything that returns credentials in a valid format, e.g.
AssumeRoleWithWebIdentityResponseorAssumeRoleResponse
I would like to do something like the following:
- Cyberduck opens a browser window to a configurable URL (as it does for Dropbox/GDrive).
- User authenticates in the browser window to an external service.
- External service uses Wasabi's STS to create appropriately privileged temporary credentials.
- Callback to Cyberduck with ??? (see below)
I am not entirely sure how the callback to Wasabi could be done or what is feasible. The Cyberduck would obviously need the credentials, and some way to refresh the credentials when they are about to expire, like a session token or cookie.
While AWS' S3 SDK is very general and allows access to any compliant service, their authentication, particularly related to SSO seems to be very locked to their IdP. Additionally, using an external configuration file (e.g. ~/.aws/credentials) is not user friendly.
I've read through the documentation and not found anything helpful, and neither are other issues on the topic such as this one: #11133