-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Claim missing from the JWT token, credentials will not be generated #15425
Comments
@benbouillet - I think the problem is your policy, it's a JSON array. Minio doesn't process any JSON arrays, it has to be a comma-delimited string. This messed me up as well while I was trying to set this up. They mention it in the documentation here and show an example: |
@bsnuggs1 This is not accurate, MinIO should handle JSON arrays of strings just fine. Please report an issue if this is not the case. @benbouillet Something weird appears to be happening here. I have a similar setup for testing but where the claim name is Could you check if something is set via config commands with One potential workaround is to try setting the env var |
> mc admin config get local identity_openid
identity_openid display_name= config_url=https://dev-<AUTH0-DOMAIN>.eu.auth0.com/.well-known/openid-configuration client_id=q0PZW######### client_secret=uqlEh######## claim_name=policy=configAdmin claim_userinfo=off role_policy= claim_prefix= redirect_uri= redirect_uri_dynamic=off scopes= I forgot to mention that I've set up a rule in auth0 to complete the payload in the JWT token. function (user, context, callback) {
const namespace = 'http://minio';
const assignedRoles = (context.authorization || {}).roles;
let idTokenClaims = context.idToken || {};
let accessTokenClaims = context.accessToken || {};
idTokenClaims[`policy`] = assignedRoles;
accessTokenClaims[`policy`] = assignedRoles;
context.idToken = idTokenClaims;
context.accessToken = accessTokenClaims;
callback(null, user, context);
} |
@donatello : this fixed it. Thanks for you help ! |
You have:
In your mc output. This is the reason for this issue. You had configuration set via that and via the env. MinIO merges the two, with env vars taking precedence. |
NOTE
If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.
Expected Behavior
User with
consoleAdmin
/configAdmin
roles should be able to connect to console with external OIDC (here auth0).Current Behavior
After login via Auth0, minio returns the following error :
Possible Solution
Steps to Reproduce (for bugs)
Context
Regression
This is a first tentative of using external OIDC, so this is no regression.
Your Environment
❯ podman run -p 9000:9000 -p 9001:9001 \ --name minio \ -v /path/to/data/:/data \ --env-file=.env \ quay.io/minio/minio server /data --console-address ":9001"
Sensitive secrets and auth0 domain has been masked
Version is
RELEASE.2022-07-26T00-53-03Z (linux/arm64)
(on Macbook Air M1)minio-test
configuredwith "Allowed Callback URLs" :
http://127.0.0.1:9001/oauth_callback
1 user
ben@######.###
configured with the following oles assigned :configAdmin
consoleAdmin
diagnostics
readwrite
mc admin trace -v -a local
returns :Token has been modified for security reason but decoding returns :
HEADER:ALGORITHM & TOKEN TYPE
PAYLOAD:DATA
VERIFY SIGNATURE
The text was updated successfully, but these errors were encountered: