feat: Allow at most one claim based OpenID IDP #16145
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
harshavardhana
approved these changes
Nov 29, 2022
This change allows adding upto one JWT Claim based OpenID provider alongside zero or more Role Policy based OpenID providers. Previously we only supported exactly one of: - a single JWT Claim based OpenID provider, or - one or more Role Policy based OpenID providers
donatello
force-pushed
the
oidc-claim
branch
from
4029d38
to
8a8a987
Compare
Mint Automation
|
djwfyi
added a commit
to minio/docs
that referenced
this pull request
Dec 1, 2022
…b.com/minio/minio/releases/tag/RELEASE.2022-11-29T23-40-49Z) - Adds information about the --remove flag dropping data directories as well and running on a per-drive basis [PR - Adds note that MinIO only supports one JWT based OpenID provider [PR #16145](minio/minio#16145) Note: There was no Docs issue to track this release. Other fix: - Minor correction to Admin Trace - Clarifies that mc admin idp ldap policy entities command is cumulative, not exclusive when using multiple flags
djwfyi
added a commit
to minio/docs
that referenced
this pull request
Dec 5, 2022
…b.com/minio/minio/releases/tag/RELEASE.2022-11-29T23-40-49Z) - Adds information about the --remove flag dropping data directories as well and running on a per-drive basis [PR - Adds note that MinIO only supports one JWT based OpenID provider [PR #16145](minio/minio#16145) Note: There was no Docs issue to track this release. Other fix: - Minor correction to Admin Trace - Clarifies that mc admin idp ldap policy entities command is cumulative, not exclusive when using multiple flags
djwfyi
added a commit
to minio/docs
that referenced
this pull request
Dec 6, 2022
Updates for mc RELEASE.2022-11-17T21-20-39Z: - Creates `mc admin idp ldap policy entities` section - Corrects incorrect `--tier` flag in `mc ilm add` - Adds info to `mc ilm ls` about new tabular format of output Closes #645 - Adds info about modifying endpoints for distributed endpoits. Partially addresses #644 Updates for Bugfix [minio RELEASE.2022-11-29T23-40-49Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-11-29T23-40-49Z): - Adds information about the --remove flag dropping data directories as well and running on a per-drive basis [PR - Adds note that MinIO only supports one JWT based OpenID provider [PR #16145](minio/minio#16145) Note: There was no Docs issue to track this release. Other fixes: - Minor correction to Admin Trace - Clarifies that mc admin idp ldap policy entities command is cumulative, not exclusive when using multiple flags - Adds additional `mc admin config` commands. Closes #653
djwfyi
added a commit
to minio/docs
that referenced
this pull request
Dec 6, 2022
Updates docs for various releases through November 2022.
## Updates for mc RELEASE.2022-11-17T21-20-39Z
- Creates `mc admin idp ldap policy entities` section
- Corrects incorrect `--tier` flag in `mc ilm add`
- Adds info to `mc ilm ls` about new tabular format of output
Closes #645
- Adds info about modifying endpoints for distributed endpoits.
Partially addresses #644
## Updates for Bugfix [minio
RELEASE.2022-11-29T23-40-49Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-11-29T23-40-49Z)
- Adds information about the --remove flag dropping data directories as
well and running on a per-drive basis [PR
16122](minio/minio#16122)
- Adds note that MinIO only supports one JWT based OpenID provider [PR
#16145](minio/minio#16145)
Note: There was no Docs issue to track this release.
## Other fix:
- Minor correction to Admin Trace
- Clarifies that mc admin idp ldap policy entities command is
cumulative, not exclusive when using multiple flags
## Add additional `mc admin config` commands
- Adds three additional commands.
- Notes under several commands that environment variables override
config keys.
Closes #653
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This change allows adding upto one JWT Claim based OpenID provider alongside zero or more Role Policy based OpenID providers.
Previously we only supported exactly one of:
Motivation and Context
We do not support multiple JWT claim based openid providers as there is currently no defined way to specify which IDP is intended in the STS request. For role policy based openid providers, the RoleARN is always present, and we are always able to tell which IDP was intended.
In this change, we allow at most one claim based openid provider, alongside other role policy based providers. When the STS request comes without a RoleARN, we assume the user intends to use the claim based openid provider to login.
How to test this PR?
Using the dex IDP setup at https://github.com/minio/minio-iam-testing, use the following environment for MinIO:
Login via console and it should work.
Types of changes
Checklist:
commit-idorPR #here)