OIDC IAM Service

[mjf-89]

It would be nice to add support for OIDC authentication. However I wonder how this could be implemented using the IAM Service abstraction that you are currently implementing.

OIDC e.g. is supported by AWS and by minio by means of the Security Token Service (STS) API endpoints. Calling into those endpoints the user can exchange an OIDC token with a set of short-term credentials to access the s3 resources. Are you planning or are you open to the idea of implementing something similar?

[benmcclelland]

@mjf-89 This looks like something we could implement in the IAM service. Are there any OIDC specifics that would be useful in considering this? We generally need a way to lookup if access key exists and get secret key for a given access key. Assuming we can store secret key in OIDC, then this should work fine.

[kfox1111]

Typically works the other way around.

There is an IAM api that allows you to exchange an OIDC token for a temporary access key / secret key that has properties associated with that OIDC tokens user identity.

[kfox1111]

Some docs here explaining bits of it:
https://min.io/docs/minio/linux/developers/security-token-service.html - AssumeRoleWithWebIdentity
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html - some of the docs about registering the oidc server with s3

[benmcclelland]

For the case of the IAM service providing an access key / secret key, I think the gateway server side would need to talk directly to that IAM service to get the account credentials to validate the requests. I don't think we can work with AWS IAM since the gateway is probably not able to get the same access and secret key credentials? But maybe there are other on-prem IAM services that would allow this?