Display errors during IDP authentication (#685)

Author: Alevsk

pkg/auth/idp/oauth2/config.go

@@ -66,3 +66,13 @@ var defaultSaltForIdpHmac = utils.RandomCharString(64)
 func getSaltForIdpHmac() string {
 	return env.Get(ConsoleIdpHmacSalt, defaultSaltForIdpHmac)
 }
+
+// getIdpScopes return default scopes during the IDP login request
+func getIdpScopes() string {
+	return env.Get(ConsoleIDPScopes, "openid,profile,app_metadata,user_metadata,email")
+}
+
+// getIdpTokenExpiration return default token expiration for access token (in seconds)
+func getIdpTokenExpiration() string {
+	return env.Get(ConsoleIDPTokenExpiration, "3600")
+}

pkg/auth/idp/oauth2/const.go

@@ -18,11 +18,13 @@ package oauth2
 
 const (
 	// const for idp configuration
-	ConsoleMinIOServer       = "CONSOLE_MINIO_SERVER"
-	ConsoleIdpURL            = "CONSOLE_IDP_URL"
-	ConsoleIdpClientID       = "CONSOLE_IDP_CLIENT_ID"
-	ConsoleIdpSecret         = "CONSOLE_IDP_SECRET"
-	ConsoleIdpCallbackURL    = "CONSOLE_IDP_CALLBACK"
-	ConsoleIdpHmacPassphrase = "CONSOLE_IDP_HMAC_PASSPHRASE"
-	ConsoleIdpHmacSalt       = "CONSOLE_IDP_HMAC_SALT"
+	ConsoleMinIOServer        = "CONSOLE_MINIO_SERVER"
+	ConsoleIdpURL             = "CONSOLE_IDP_URL"
+	ConsoleIdpClientID        = "CONSOLE_IDP_CLIENT_ID"
+	ConsoleIdpSecret          = "CONSOLE_IDP_SECRET"
+	ConsoleIdpCallbackURL     = "CONSOLE_IDP_CALLBACK"
+	ConsoleIdpHmacPassphrase  = "CONSOLE_IDP_HMAC_PASSPHRASE"
+	ConsoleIdpHmacSalt        = "CONSOLE_IDP_HMAC_SALT"
+	ConsoleIDPScopes          = "CONSOLE_IDP_SCOPES"
+	ConsoleIDPTokenExpiration = "CONSOLE_IDP_TOKEN_EXPIRATION"
 )

pkg/auth/idp/oauth2/provider.go

@@ -25,6 +25,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strconv"
 	"strings"
 	"time"
 
@@ -115,12 +116,14 @@ func NewOauth2ProviderClient(ctx context.Context, scopes []string, httpClient *h
 	if err != nil {
 		return nil, err
 	}
+	// below verification should not be necessary if the user configure exactly the
+	// scopes he need, will be removed on a future release
 	if u.Host == "google.com" {
 		scopes = []string{oidc.ScopeOpenID}
 	}
-	// If provided scopes are empty we use a default list
+	// If provided scopes are empty we use a default list or the user configured list
 	if len(scopes) == 0 {
-		scopes = []string{oidc.ScopeOpenID, "profile", "app_metadata", "user_metadata", "email"}
+		scopes = strings.Split(getIdpScopes(), ",")
 	}
 	client := new(Provider)
 	client.oauth2Config = &xoauth2.Config{
@@ -177,9 +180,22 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state string)
 			return nil, errors.New("invalid token")
 		}
 
+		// expiration configured in the token itself
+		expiration := int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds())
+
+		// check if user configured a hardcoded expiration for console via env variables
+		// and override the incoming expiration
+		userConfiguredExpiration := getIdpTokenExpiration()
+		if userConfiguredExpiration != "" {
+			expiration, _ = strconv.Atoi(userConfiguredExpiration)
+		}
+		idToken := oauth2Token.Extra("id_token")
+		if idToken == nil {
+			return nil, errors.New("returned token is missing id_token claim")
+		}
 		return &credentials.WebIdentityToken{
-			Token:  oauth2Token.Extra("id_token").(string),
-			Expiry: int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds()),
+			Token:  idToken.(string),
+			Expiry: expiration,
 		}, nil
 	}
 	stsEndpoint := GetSTSEndpoint()

portal-ui/build/asset-manifest.json

@@ -1,25 +1,25 @@
 {
   "files": {
     "main.css": "/static/css/main.a19f3d53.chunk.css",
-    "main.js": "/static/js/main.92bfa60e.chunk.js",
-    "main.js.map": "/static/js/main.92bfa60e.chunk.js.map",
+    "main.js": "/static/js/main.2368c861.chunk.js",
+    "main.js.map": "/static/js/main.2368c861.chunk.js.map",
     "runtime-main.js": "/static/js/runtime-main.f48e99e5.js",
     "runtime-main.js.map": "/static/js/runtime-main.f48e99e5.js.map",
     "static/css/2.f324abd6.chunk.css": "/static/css/2.f324abd6.chunk.css",
-    "static/js/2.26e254ca.chunk.js": "/static/js/2.26e254ca.chunk.js",
-    "static/js/2.26e254ca.chunk.js.map": "/static/js/2.26e254ca.chunk.js.map",
+    "static/js/2.e01324bd.chunk.js": "/static/js/2.e01324bd.chunk.js",
+    "static/js/2.e01324bd.chunk.js.map": "/static/js/2.e01324bd.chunk.js.map",
     "index.html": "/index.html",
     "static/css/2.f324abd6.chunk.css.map": "/static/css/2.f324abd6.chunk.css.map",
     "static/css/main.a19f3d53.chunk.css.map": "/static/css/main.a19f3d53.chunk.css.map",
-    "static/js/2.26e254ca.chunk.js.LICENSE.txt": "/static/js/2.26e254ca.chunk.js.LICENSE.txt",
+    "static/js/2.e01324bd.chunk.js.LICENSE.txt": "/static/js/2.e01324bd.chunk.js.LICENSE.txt",
     "static/media/minio_console_logo.0837460e.svg": "/static/media/minio_console_logo.0837460e.svg",
     "static/media/minio_operator_logo.1312b7c9.svg": "/static/media/minio_operator_logo.1312b7c9.svg"
   },
   "entrypoints": [
     "static/js/runtime-main.f48e99e5.js",
     "static/css/2.f324abd6.chunk.css",
-    "static/js/2.26e254ca.chunk.js",
+    "static/js/2.e01324bd.chunk.js",
     "static/css/main.a19f3d53.chunk.css",
-    "static/js/main.92bfa60e.chunk.js"
+    "static/js/main.2368c861.chunk.js"
   ]
 }

portal-ui/build/index.html

@@ -1 +1 @@
-<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="MinIO Console"/><link href="https://fonts.googleapis.com/css2?family=Lato:wght@400;500;700;900&display=swap" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/manifest.json"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="/static/css/2.f324abd6.chunk.css" rel="stylesheet"><link href="/static/css/main.a19f3d53.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="/";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="/static/js/2.26e254ca.chunk.js"></script><script src="/static/js/main.92bfa60e.chunk.js"></script></body></html>
+<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="MinIO Console"/><link href="https://fonts.googleapis.com/css2?family=Lato:wght@400;500;700;900&display=swap" rel="stylesheet"/><link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png"/><link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/><link rel="manifest" href="/manifest.json"/><link rel="mask-icon" href="/safari-pinned-tab.svg" color="#3a4e54"/><title>MinIO Console</title><link href="/static/css/2.f324abd6.chunk.css" rel="stylesheet"><link href="/static/css/main.a19f3d53.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function r(r){for(var n,l,i=r[0],a=r[1],p=r[2],c=0,s=[];c<i.length;c++)l=i[c],Object.prototype.hasOwnProperty.call(o,l)&&o[l]&&s.push(o[l][0]),o[l]=0;for(n in a)Object.prototype.hasOwnProperty.call(a,n)&&(e[n]=a[n]);for(f&&f(r);s.length;)s.shift()();return u.push.apply(u,p||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var a=t[i];0!==o[a]&&(n=!1)}n&&(u.splice(r--,1),e=l(l.s=t[0]))}return e}var n={},o={1:0},u=[];function l(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,l),t.l=!0,t.exports}l.m=e,l.c=n,l.d=function(e,r,t){l.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},l.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},l.t=function(e,r){if(1&r&&(e=l(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(l.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)l.d(t,n,function(r){return e[r]}.bind(null,n));return t},l.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return l.d(r,"a",r),r},l.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},l.p="/";var i=this["webpackJsonpportal-ui"]=this["webpackJsonpportal-ui"]||[],a=i.push.bind(i);i.push=r,i=i.slice();for(var p=0;p<i.length;p++)r(i[p]);var f=a;t()}([])</script><script src="/static/js/2.e01324bd.chunk.js"></script><script src="/static/js/main.2368c861.chunk.js"></script></body></html>