root
/
minio
mirror of https://github.com/minio/minio.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

fix: claim based oidc for official aws libraries (#21468)

This commit is contained in:
M Alvee 2025-08-08 08:42:38 +06:00 committed by GitHub
parent b1a34fd63f
commit 0638ccc5f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/sts-handlers.go
View File

@ -414,9 +414,13 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
//
// Currently, we do not support multiple claim based IDPs, as there is no
// defined parameter to disambiguate the intended IDP in this STS request.
//
// Skip RoleArn existence check when policy mapping is based on a JWT claim.
// This is required to support clients (like the AWS CLI or SDKs) that enforce providing a RoleArn,
// even though it's not used in claim-based identity mode.
roleArn := openid.DummyRoleARN
roleArnStr := r.Form.Get(stsRoleArn)
if roleArnStr != "" {
if roleArnStr != "" && strings.TrimSpace(iamPolicyClaimNameOpenID()) == "" {
var err error
roleArn, _, err = globalIAMSys.GetRolePolicy(roleArnStr)
if err != nil {
@ -451,7 +455,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
}
var policyName string
if roleArnStr != "" && globalIAMSys.HasRolePolicy() {
if roleArnStr != "" && globalIAMSys.HasRolePolicy() && strings.TrimSpace(iamPolicyClaimNameOpenID()) == "" {
// If roleArn is used, we set it as a claim, and use the
// associated policy when credentials are used.
claims[roleArnClaim] = roleArn.String()