Claim missing from the JWT token, credentials will not be generated

[benbouillet]

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

Expected Behavior

User with consoleAdmin/configAdmin roles should be able to connect to console with external OIDC (here auth0).

Current Behavior

After login via Auth0, minio returns the following error :

Error from IDP
An error occurred, please try again
Policy=configAdmin claim missing from the JWT token, credentials will not be generated

Possible Solution

Steps to Reproduce (for bugs)

1. Go to the login page
2. Click on "Login with SSO"

Context

Regression

This is a first tentative of using external OIDC, so this is no regression.

Your Environment

• Minio is locally containerized :

❯ podman run -p 9000:9000 -p 9001:9001 \
  --name minio \
  -v /path/to/data/:/data \
  --env-file=.env \
  quay.io/minio/minio server /data --console-address ":9001"

❯ cat .env
MINIO_IDENTITY_OPENID_CONFIG_URL=https://<auth0-domain>.eu.auth0.com/.well-known/openid-configuration
MINIO_IDENTITY_OPENID_CLIENT_ID=#######
MINIO_IDENTITY_OPENID_CLIENT_SECRET=#######
# MINIO_IDENTITY_OPENID_CLAIM_NAME=
# MINIO_IDENTITY_OPENID_CLAIM_PREFIX=
# MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email
# MINIO_IDENTITY_OPENID_REDIRECT_URI="<string>"
# MINIO_IDENTITY_OPENID_COMMENT="<string>"
MINIO_IDENTITY_OPENID_REDIRECT_URI=http://127.0.0.1:9001/oauth_callback
MINIO_ROOT_USER=ben
MINIO_ROOT_PASSWORD=#######

Sensitive secrets and auth0 domain has been masked

Version is RELEASE.2022-07-26T00-53-03Z (linux/arm64) (on Macbook Air M1)

❯ podman logs minio
MinIO Object Storage Server
Copyright: 2015-2022 MinIO, Inc.
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Version: RELEASE.2022-07-26T00-53-03Z (go1.18.4 linux/arm64)

Status:         1 Online, 0 Offline.
API: http://10.88.0.17:9000  http://127.0.0.1:9000
Console: http://10.88.0.17:9001 http://127.0.0.1:9001

Documentation: https://docs.min.io

• Auth0 Free-tier used.
  • 1 application minio-test configured

with "Allowed Callback URLs" : http://127.0.0.1:9001/oauth_callback

• 1 user ben@######.### configured with the following oles assigned :

  • configAdmin
  • consoleAdmin
  • diagnostics
  • readwrite

• mc admin trace -v -a local returns :

10.88.0.17:9000 [REQUEST sts.AssumeRoleWithWebIdentity] [2022-07-28T18:21:37.932] [Client IP: 10.88.0.17]
10.88.0.17:9000 POST /?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&Version=2011-06-15&WebIdentityToken=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImUtQkNaSGJ6NVVFM19ZMnRHUDV0OSJ9.eyJwb2xpY3kiOlsiY29uZmlnQWRtaW4iLCJjb25zb2xlQWRtaW4iLCJkaWFnbm9zdGljcyIsInJlYWR3cml0ZSJdLCJuaWNrbmFtZSI6ImJlbiIsIm5hbWUiOiJiZW5Ad2VibWFrZXJzLmRldiIsInBpY3R1cmUiOiJodHRwczovL3MuZ3JhdmF0YXIuY29jWF2YXRhci82NjM4MjU3OTU1ZjQ2Zjc2NmIzZWQzYzE0ZGY5YmEyZT9zPTQ4MCZyPXBnJmQ9aHR0cHMlM0ElMkYlMkZjZG4uYXV0aDAuY29tJTJGYXZhdGFycyUyRmJlLnBuZyIsInVwZGF0ZWRfYXQiOiIyMDIyLTA3LTI4VDA4OjU5OjM4LjQ3NFoiLCJlbUWpbCI6ImJlbkB3ZWJtYWtlcnMuZGV2IiwiZCBhaWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL2Rldi1wMWFrb281Zy5ldS5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NjJlMTM3YTRhY2EzZTY0YzBhNTIxYTEyIiwiYXVkIjoicTBQWld5ZVRYTVVqcWtUZUxPTEx5RWE0blhMY1prUjQiLCJpYXQiOjE2NTkwMjUyOTcsImV4cCI6MTY1OTA2MTI5N30.VCyIUBk9ZZlm-iZbxdX-Wlr1px5xeV2hpBIB9IfMIfwtajdkHcw1zLEG9iJdbp50HykJBiPFxEFceM6YV08hx41_9em0a5TRzqitTHJxUofdOwdoxGxi5GtQOX1084zeNjAva0MQj8i7zEpR4WVvzY2JRZq5LLF28LPIwVXho7mD4feK7OYmFGAs1PzbMEhCiU8hdve7RUdkL-nl1fZycTSK1wXpZSNx6b8LQQekUskCrWRX4BlTfOl17hvzp5YCE01KcDeNneIz3Q-kWa1qggcX0oSL-aZ5G5pE5dQsGCZ2H6ltU4qAXnom9JjpJ3UlmZpgC2rAKLgm1Xodid2VBw
10.88.0.17:9000 Proto: HTTP/1.1
10.88.0.17:9000 Host: 10.88.0.17:9000
10.88.0.17:9000 Content-Length: 0
10.88.0.17:9000 User-Agent: Go-http-client/1.1
10.88.0.17:9000
10.88.0.17:9000 [RESPONSE] [2022-07-28T18:21:37.933] [ Duration 1.019ms  ↑ 31 B  ↓ 651 B ]
10.88.0.17:9000 400 Bad Request
10.88.0.17:9000 Content-Type: application/xml
10.88.0.17:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
10.88.0.17:9000 Vary: Origin
10.88.0.17:9000 X-Amz-Request-Id: 17060JEUD4AA0184
10.88.0.17:9000 X-Content-Type-Options: nosniff
10.88.0.17:9000 Accept-Ranges: bytes
10.88.0.17:9000 Content-Length: 326
10.88.0.17:9000 Content-Security-Policy: block-all-mixed-content
10.88.0.17:9000 Server: MinIO
10.88.0.17:9000 X-Xss-Protection: 1; mode=block
10.88.0.17:9000 <?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"><Error><Type></Type><Code>InvalidParameterValue</Code><Message>policy=configAdmin claim missing from the JWT token, credentials will not be generated</Message></Error><RequestId>17060JEUD4AA0184</RequestId></ErrorResponse>

Token has been modified for security reason but decoding returns :
HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "e-BCZHbz5UE3_Y2tGP5t9"
}

PAYLOAD:DATA

{
  "policy": [
    "configAdmin",
    "consoleAdmin",
    "diagnostics",
    "readwrite"
  ],
  "nickname": "ben",
  "name": "ben@XXXX.XXX",
  "picture": "https://s.gravatar.com/avatar/YYY.png",
  "updated_at": "2022-07-28T08:59:38.474Z",
  "email": "ben@XXXX.XXX",
  "email_verified": true,
  "iss": "https://dev-XXXXXX.eu.auth0.com/",
  "sub": "auth0|62e137a4are3e64c8f521a12",
  "aud": "q0PZWyeJTEDjqkTeLOLLyEa4nXLcZkR4",
  "iat": 1659015694,
  "exp": 1659054294
}

VERIFY SIGNATURE

RSASHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  ,
)

[benbouillet]

Resources

---

• OpenID External Identity Management
• Auth0 Docs - JSON Web Token Claims
• Minio repo - AssumeRoleWithWebIdentity
• Find Nuclei - MinIO Gateway with DigitalOcean Spaces, NGINX and auth0
• Medium - Adding roles and permissions to a JWT access token in Auth0
• JSON Web Token decoder

Possible related issues

---

• 14149 - policy claim missing from the JWT token
• 15137 - Missing JWT policy claim after upgrading to RELEASE.2022-06-20T23-13-45Z
• 14939 - Policy claim missing from the JWT token, credentials will not be generated

[bsnuggs1]

@benbouillet - I think the problem is your policy, it's a JSON array. Minio doesn't process any JSON arrays, it has to be a comma-delimited string. This messed me up as well while I was trying to set this up.

They mention it in the documentation here and show an example:
https://docs.min.io/minio/baremetal/security/openid-external-identity-management/external-authentication-with-openid-identity-provider.html#id3

[donatello]

@benbouillet - I think the problem is your policy, it's a JSON array. Minio doesn't process any JSON arrays, it has to be a comma-delimited string. This messed me up as well while I was trying to set this up.

@bsnuggs1 This is not accurate, MinIO should handle JSON arrays of strings just fine. Please report an issue if this is not the case.

@benbouillet Something weird appears to be happening here. I have a similar setup for testing but where the claim name is groups and the openid service returns an array of strings as the policies and it works fine.

Could you check if something is set via config commands with mc admin config get local identity_openid?

One potential workaround is to try setting the env var MINIO_IDENTITY_OPENID_CLAIM_NAME=policy.

[benbouillet]

@donatello :

> mc admin config get local identity_openid
identity_openid display_name= config_url=https://dev-<AUTH0-DOMAIN>.eu.auth0.com/.well-known/openid-configuration client_id=q0PZW######### client_secret=uqlEh######## claim_name=policy=configAdmin claim_userinfo=off role_policy= claim_prefix= redirect_uri= redirect_uri_dynamic=off scopes=

I forgot to mention that I've set up a rule in auth0 to complete the payload in the JWT token.

function (user, context, callback) {
  const namespace = 'http://minio';

  const assignedRoles = (context.authorization || {}).roles;

  let idTokenClaims = context.idToken || {};
  let accessTokenClaims = context.accessToken || {};

  idTokenClaims[`policy`] = assignedRoles;
  accessTokenClaims[`policy`] = assignedRoles;

  context.idToken = idTokenClaims;
  context.accessToken = accessTokenClaims;
  callback(null, user, context);
}

[benbouillet]

One potential workaround is to try setting the env var MINIO_IDENTITY_OPENID_CLAIM_NAME=policy.

@donatello : this fixed it. Thanks for you help !
Although this is weird as MINIO_IDENTITY_OPENID_CLAIM_NAME is supposed to default to policy as mentioned in the documentation.

[donatello]

You have:

claim_name=policy=configAdmin

In your mc output. This is the reason for this issue. You had configuration set via that and via the env. MinIO merges the two, with env vars taking precedence.