MINIO JAVA SDK+ STS https://github.com/minio/minio/blob/master/docs/sts/web-identity.md Issue

[PSHREYASHOLLA]

Expected Behavior

The issue minio/minio#10001 thread was closed without providing the final solution.
After getting the access_token from keycloak, passing same to http://localhost:9000?Action=AssumeRoleWithWebIdentity&Version=2011-06-15&WebIdentityToken=access_token and getting the response back as,
<?xml version="1.0" encoding="UTF-8"?> <AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <AssumeRoleWithWebIdentityResult> <AssumedRoleUser> <Arn></Arn> <AssumeRoleId></AssumeRoleId> </AssumedRoleUser> <Credentials> <AccessKeyId>FT8P56JOXAJDUCWEYWCP</AccessKeyId> <SecretAccessKey>0aIZ6OhJxkvbxYy+9J20llgrV8JRCG+LtzwKkH8h</SecretAccessKey> <Expiration>2020-08-07T06:11:10Z</Expiration> <SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJSRVJITlZXOVZYWDRXUTkxTjZYMyIsImFjciI6IjEiLCJhZGRyZXNzIjp7fSwiYXVkIjoiYWNjb3VudCIsImF6cCI6Im1pbmlvIiwiZW1haWwiOiJicmFkQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiZXhwIjoxNTk2NzgwNjcwLCJmYW1pbHlfbmFtZSI6ImJyYWQiLCJnaXZlbl9uYW1lIjoiYnJhZCIsImdyb3VwcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl0sImlhdCI6MTU5Njc4MDM3MCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImp0aSI6ImJhOWUzYjEzLWE2NjAtNGNjYi1hZTVmLTk4YWNjZTM3YzY1YyIsIm5hbWUiOiJicmFkIGJyYWQiLCJwb2xpY3kiOiJyZWFkd3JpdGUiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJicmFkIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIHBob25lIGFkZHJlc3MgcG9saWN5IG1pY3JvcHJvZmlsZS1qd3Qgb2ZmbGluZV9hY2Nlc3MiLCJzZXNzaW9uX3N0YXRlIjoiYzdlY2MwZDItZWZiNS00N2NjLThmOTItNmI3OTJhMmI4ZjNiIiwic3ViIjoiMTAzMTJjMjktZWYxYi00OWNmLTg0ZjQtODQ1MGZiNDZkNDM5IiwidHlwIjoiQmVhcmVyIiwidXBuIjoiYnJhZCJ9.LesWLGzRPjpBms1GiF95ESpyYXaDD8pMXqZfPz1FfffFYLmh7BcrBUMXzvvoI8JLnF5nE01f2sX2I7HMsLVdZA</SessionToken> </Credentials> <SubjectFromWebIdentityToken>10312c29-ef1b-49cf-84f4-8450fb46d439</SubjectFromWebIdentityToken> </AssumeRoleWithWebIdentityResult> <ResponseMetadata> <RequestId>1628E74C2FC1C748</RequestId> </ResponseMetadata> </AssumeRoleWithWebIdentityResponse>
But after passing accessKeyID and SecretAccessKey to minio 7.0 Java SDK as,
MinioClient minioClient = new MinioClient("http://localhost:9000","FT8P56JOXAJDUCWEYWCP","0aIZ6OhJxkvbxYy+9J20llgrV8JRCG+LtzwKkH8h");

Or to minio 7.1 Java SDK as,
MinioClient minioClient = MinioClient.builder().endpoint("http://localhost:9000").credentials("FT8P56JOXAJDUCWEYWCP", "0aIZ6OhJxkvbxYy+9J20llgrV8JRCG+LtzwKkH8h"").build();
minioClient.listBuckets();

Getting below error,

Exception in thread "main" java.lang.IllegalArgumentException: unknown error code string 'InvalidTokenId'
at io.minio.Xml.unmarshal(Xml.java:68)
at io.minio.MinioClient.execute(MinioClient.java:1134)
at io.minio.MinioClient.executeGet(MinioClient.java:1311)
at io.minio.MinioClient.listBuckets(MinioClient.java:3123)
at com.misys.dms.Main.main(Main.java:48)

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Regression

Your Environment

• Version used (minio --version): Java SDK 7.0/7.1
• Server setup and configuration:
• Operating System and version (uname -a):

[balamurugana]

@PSHREYASHOLLA Latest release of minio-java does not support STS. We have added the support in master branch and will be available in next release. Feel free to test master and open issues if any.

[PSHREYASHOLLA]

@balamurugana So you mean to say there is no backward compatability? As I have tried same with old minio server and minio java 7.0 SDK.

[harshavardhana]

@balamurugana So you mean to say there is no backward compatability? As I have tried same with old minio server and minio java 7.0 SDK.

No there is no backward compatibility

[PSHREYASHOLLA]

@balamurugana So you mean to say there is no backward compatability? As I have tried same with old minio server and minio java 7.0 SDK.

No there is no backward compatibility

@harshavardhana @balamurugana

So is the documented way https://github.com/minio/minio/blob/master/docs/sts/web-identity.md, not supported?

[balamurugana]

@PSHREYASHOLLA Can you be more specific what exactly missing in minio-java?

[PSHREYASHOLLA]

@balamurugana So after following all steps in https://github.com/minio/minio/blob/master/docs/sts/web-identity.md, finally after exchanging access token with MinIO to get access keyID and secret key using, http://localhost:9000/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3599&Version=2011-06-15&WebIdentityToken=acess_token,
The output looks like,
<?xml version="1.0" encoding="UTF-8"?> <AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <AssumeRoleWithWebIdentityResult> <AssumedRoleUser> <Arn></Arn> <AssumeRoleId></AssumeRoleId> </AssumedRoleUser> <Credentials> <AccessKeyId>5N9OOBCI3TG3YKSZ794V</AccessKeyId> <SecretAccessKey>G2Ogq6l+aHGGTPUArwVXjZfjGpsQROwn4FW4fzyR</SecretAccessKey> <Expiration>2020-08-11T03:06:37Z</Expiration> <SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI1TjlPT0JDSTNURzNZS1NaNzk0ViIsImFjciI6IjEiLCJhZGRyZXNzIjp7fSwiYXVkIjoiYWNjb3VudCIsImF6cCI6Im1pbmlvIiwiZW1haWwiOiJicmFkQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiZXhwIjoiMTU5NzExNTE5NyIsImZhbWlseV9uYW1lIjoiYnJhZCIsImdpdmVuX25hbWUiOiJicmFkIiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwiaWF0IjoxNTk3MTE0ODk3LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwianRpIjoiYmUwZTM2ODAtMTZmMy00ZjI2LTg3ZWItMjc4MTY3ZTE2Y2EzIiwibmFtZSI6ImJyYWQgYnJhZCIsInBvbGljeSI6InJlYWR3cml0ZSIsInByZWZlcnJlZF91c2VybmFtZSI6ImJyYWQiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUgcGhvbmUgYWRkcmVzcyBwb2xpY3kgbWljcm9wcm9maWxlLWp3dCBvZmZsaW5lX2FjY2VzcyIsInNlc3Npb25fc3RhdGUiOiI0ZTA3NDY5ZC0yYTgyLTQ3MWItOTAyNy1iZjI5YTdhMzYzZjUiLCJzdWIiOiIxMDMxMmMyOS1lZjFiLTQ5Y2YtODRmNC04NDUwZmI0NmQ0MzkiLCJ0eXAiOiJCZWFyZXIiLCJ1cG4iOiJicmFkIn0.dbE2lYeLlW42CDR8kdz7HnWzachedvSvHgqfDiPl9BeWRzrLHx87adFjSFEjwk3i0EWgZ0sT-YC04yUZ7cPuWQ</SessionToken> </Credentials> <SubjectFromWebIdentityToken>10312c29-ef1b-49cf-84f4-8450fb46d439</SubjectFromWebIdentityToken> </AssumeRoleWithWebIdentityResult> <ResponseMetadata> <RequestId>162A17A22FDED428</RequestId> </ResponseMetadata> </AssumeRoleWithWebIdentityResponse>

Now after getting this, how to build MinIO client?

[balamurugana]

@PSHREYASHOLLA Could you be more specific why you are not following this example https://github.com/minio/minio-java/blob/master/examples/MinioClientWithWebIdentityProvider.java? and why are you fetching the XML yourself?

[PSHREYASHOLLA]

@balamurugana This was existing piece of code we had done earlier, so wanted to know if there is backward compatibility for the same or not as that is the only documentation I have found for MinIO with OpenID? And I understand this is a still in master branch and the documentation will not be available.

[balamurugana]

@PSHREYASHOLLA You are not doing with recommended way. If you use WebIdentityProvider it fetches new credentials upon expiry. In your approach, its your responsibility to provide valid credentials every time.

Anyway for non-standard usage like this, I have sent a PR #1037. Feel free to test it. The way to use is, after you get XML, parse and pass Access Key, Secret Key and Session Token to StaticProvider and use with MinioClient. Remember you have to create new MinioClient upon your credential expiry.

[PSHREYASHOLLA]

@balamurugana, I was just following the documented way https://github.com/minio/minio/blob/master/docs/sts/web-identity.md. Thanks for the new approach example will follow that.

Please provide me the last detail. Where is the example for Minio + LDAP/AD Java SDK example?

[balamurugana]

@PSHREYASHOLLA there is no support yet and will be added soon.

[PSHREYASHOLLA]

@balamurugana Ok Thanks.

Regarding the raised issue, MinIO(HTTP) + OpenID(Keycloak-HTTP) the functionality is working fine.

But with MinIO(HTTPS) + OpenID(Keycloak-HTTP) , I am getting below error at io.minio.credentials.WebIdentityClientGrantsProvider.fetch(WebIdentityClientGrantsProvider.java:133),

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at io.minio.credentials.WebIdentityClientGrantsProvider.fetch(WebIdentityClientGrantsProvider.java:117)
at io.minio.MinioClient.execute(MinioClient.java:1033)
at io.minio.MinioClient.execute(MinioClient.java:986)
at io.minio.MinioClient.executeGet(MinioClient.java:1258)
at io.minio.MinioClient.listBuckets(MinioClient.java:3676)
at io.minio.MinioClient.listBuckets(MinioClient.java:3644)
at com.misys.dms.Main.main(Main.java:116)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 34 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 40 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 45 more
Exception in thread "main" java.lang.IllegalStateException: Unable to parse STS response
at io.minio.credentials.WebIdentityClientGrantsProvider.fetch(WebIdentityClientGrantsProvider.java:133)
at io.minio.MinioClient.execute(MinioClient.java:1033)
at io.minio.MinioClient.execute(MinioClient.java:986)
at io.minio.MinioClient.executeGet(MinioClient.java:1258)
at io.minio.MinioClient.listBuckets(MinioClient.java:3676)
at io.minio.MinioClient.listBuckets(MinioClient.java:3644)
at com.misys.dms.Main.main(Main.java:116)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at io.minio.credentials.WebIdentityClientGrantsProvider.fetch(WebIdentityClientGrantsProvider.java:117)
... 6 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 34 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 40 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 45 more

This looks like some certificate validation issue.

[balamurugana]

@PSHREYASHOLLA If you are working with self-signed or expired certificates, use ignoreCertCheck() or use custom OkHttpClient wherever applicable.