-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding oauth support to MinIO browser #8075
Conversation
ae615d6
to
9f09fda
Compare
d0b7c22
to
bc295d2
Compare
can you get this ready for final merge @kanagarajkm with builds everything running? - I am yet to show this to @abperiasamy will do soon. |
@harshavardhana ok, i can do that. |
4c4896c
to
2149538
Compare
Codecov Report
@@ Coverage Diff @@
## master #8075 +/- ##
==========================================
+ Coverage 43.87% 44.04% +0.16%
==========================================
Files 325 303 -22
Lines 52891 52093 -798
==========================================
- Hits 23208 22944 -264
+ Misses 27525 26991 -534
Partials 2158 2158
Continue to review full report at Codecov.
|
@harshavardhana the problems are resolved and its ready for review. |
2149538
to
ab5b4cf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you also update the sts documentation on how to configure this?
78ba3bc
to
51636ae
Compare
Done, can you please review? |
@kanagarajkm can you provide more instructions on using this with keycloack ? |
51636ae
to
27d6961
Compare
@harshavardhana added docs for setting up keycloak, please have a look. Updated |
Mint Automation
8075-27d6961/mint-large-bucket.sh.log:
8075-27d6961/mint-dist-xl.sh.log:
|
Is it possible to just use existing oidc tokens from some auth headers for the authentication for the MinIO Browser? thx |
@jonasscherer sorry i didn't understand your question, can you please elaborate. MinIO browser receives the token from the Identity Provider through a redirect and then it uses this token to create an STS user then login as that user. |
@kanagarajkm we are using MinIO behind a auth proxy, which already handles the login, redirect etc. The question is, can I offer the MinIO browser an authentication header that, if present, logs the user in directly? |
@jonasscherer what is the authentication provider used here? does it have support for |
Yes - it's actually Keycloak :) |
@jonasscherer do you see any problems in configuring KeyCloak as openid provider for MinIO and let the MinIO browser take care of rest instead of using an auth proxy? |
@kanagarajkm Unfortunately I see some problems, because we want to offer a single sign-on for several services. In this case the user would have to log in to Minio again... |
@jonasscherer let me clarify a few things here. Let's take for example keycloak is running in https://auth.domain1.com, then you have a MinIO server running on https://minio.domain2.com then another xyz service running on https://xyz.domain3.com So when a user tries to access https://minio.domain2.com, they are redirected to https://auth.domain1.com where they enter their credentials(this is not MinIO creds). Then they are redirected back to https://minio.domain2.com as logged in user, they don't login explicitly on MinIO, the user doesn't require MinIO creds. This same applies when they access the xyz service running on https://xyz.domain3.com. |
@kanagarajkm This is exactly what I meant :) |
MinIO server verifies the JWT token received from Keycloak using the public certs(JWKS url) of keycloak. Then creates an STS user with the provided policy. This user is now logged in automatically. So its not just about setting the auth header. what exactly is your auth proxy? Is it keycloak gatekeeper? |
@kanagarajkm can you re-work this PR to work with #8392 such that, we can merge this into this branch as well. |
Send it to branch |
Hi, First off, I must say that I very much welcome this PR! Question 1: Isn't it better to infer the Question 2/advice: Please consider using a battle-hardened oidc package like https://www.npmjs.com/package/oidc-client - it even has a React wrapper: https://www.npmjs.com/package/react-oidc Question 3: Consider adding a configurable drop-down menu for choosing the OpenID Connect Provider to use, so that the end-user doesn't need to enter the technical client name of it. |
Closing this, this functionality is merged into new-config-admin-v2 branch |
Description
Adding OpenID login support to MinIO Browser.
Motivation and Context
Users will be able to login MinIO Browser through the configured Identity Provider.
How to test this PR?
Sample URLs for Keycloak are
configURL - http://localhost:8080/auth/realms/demo/.well-known/openid-configuration
jwks url - http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs
JWT token should include a custom claim for the policy, this is required to create a STS user in MinIO. The name of the custom claim could be either
policy
or<NAMESPACE_Prefix>policy
.If there is no namespace then
policyClaimPrefix
can be ingored. For example if the custom claim name ishttps://min.io/policy
then,policyClaimPrefix
should be set ashttps://min.io/
Log in with OpenID
Client ID
obtained from Identity Provider and ENTERTypes of changes
Checklist:
commit-id
orPR #
here)