-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session Policy is BASE 64 encoded, but JSON is expected #11336
Comments
@dnoelb can you share the code where you see this? It is client that needs to supply the correct session policy not server. |
You shouldn't be extracting sessionToken claims - sessionToken should be used opaquely and can be safely share with the client. To re-request a new token you need to present session policy again in JSON form that you did originally. We won't put a JSON inside a jwt claim |
Hey, thanks for you answer! :) The error does not occur in the step of requesting the sessionToken(vie assumerole...), but in the step of requesting some resource on the server with the sessionToken (I just took a look into it for debugging, it is otherweise just passed to the client). When I make a call like like
In my opinion, the message hints, that the first letter of the sessionPolicy within the sessionToken is 'e' and therefore encoded in BASE64. The minio server somehow tries to read just the string and does not decode the BASE64 of the sessionPolicy within the sessionToken, in order to check read the policy at this point. |
Yes but this is an incorrect way to call - sesstion token is not |
Oh, now I understand my mistake, thank you very much for the help! :) |
Used AssumeRoleWithWebIdenty API to retrieve an temporary session token to access the minio api with a session policy.
The first steps works, as the API returns a valid token, which contains a sessionPolicy. The Problem is, that the Session Policy within the returned Token is BASE64 encoded and the minio expects an JSON encoded string, when accessing the API with the access token.
Expected Behavior
Being able to access the Minio API with the returned session Token.
Current Behavior
The access is denied and the log of the minio outputs the following:
The returned sessionToken from AssumeRoleWithWebIdentity contains the following part with the session policy (i shortened the BASE64 string for privacy reasons):
Possible Solution
Storing the sessionPolicy as JSON encoded within the token or expecting an base64 encoded sessionPolicy and decoding it prior to the policy checks.
Steps to Reproduce (for bugs)
Context
I am trying to build up an environment to give out temporary credentials to users, which limit the access to certain subdirectories.
Regression
Your Environment
minio --version
): RELEASE.2021-01-08T21-18-21Zuname -a
): Linux panther 5.8.0-38-generic List buckets response should be nested xml buckets #43~20.04.1-Ubuntu SMP Tue Jan 12 16:39:47 UTC 2021 x86_64 x86_64 x86_64 GNU/LinuxThe text was updated successfully, but these errors were encountered: