-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC IAM Service #351
Comments
@mjf-89 This looks like something we could implement in the IAM service. Are there any OIDC specifics that would be useful in considering this? We generally need a way to lookup if access key exists and get secret key for a given access key. Assuming we can store secret key in OIDC, then this should work fine. |
Typically works the other way around. There is an IAM api that allows you to exchange an OIDC token for a temporary access key / secret key that has properties associated with that OIDC tokens user identity. |
Some docs here explaining bits of it: |
For the case of the IAM service providing an access key / secret key, I think the gateway server side would need to talk directly to that IAM service to get the account credentials to validate the requests. I don't think we can work with AWS IAM since the gateway is probably not able to get the same access and secret key credentials? But maybe there are other on-prem IAM services that would allow this? |
It would be nice to add support for OIDC authentication. However I wonder how this could be implemented using the IAM Service abstraction that you are currently implementing.
OIDC e.g. is supported by AWS and by minio by means of the Security Token Service (STS) API endpoints. Calling into those endpoints the user can exchange an OIDC token with a set of short-term credentials to access the s3 resources. Are you planning or are you open to the idea of implementing something similar?
The text was updated successfully, but these errors were encountered: