Connect to Minio with temporary credentials from STS obtained with OpenID Connect token from Keycloak #14893

SheromS · 2023-07-09T14:48:43Z

This pull request contains our current state with:

Authentication to Keycloak
Fetch STS temporary credentials
Testcontainers with the included docker-compose configuration
First tests including the testcontainers (are running)
A first version of the OIDC Cyberduck Profile in the ressource-folder
Suggested changes from @chenkins implemented (about STS) Get STS to work with MinIO http://localhost:9000 SheromS/cyberduck#6
rebase on #14882. This allows to properly sign requests after refreshing tokens.
Resolves Suport to login using temporary credentials from Security Token Service (STS API) using OpenID Connect web identity #13804
Resolves Expired temporary credentials (STS) should be refreshed automatically #10917
Make sure we have test coverage for expired STS tokens.
Resolves TODOs
Resolve comments

dkocher · 2023-07-10T21:39:23Z

Somehow this is based on 10045f4 from bugfix/GH-10917-authentication-interceptor but contains newer commits from master. Please rebase again.

…vailableRetryStrategy

dkocher

Review comments.
Please run code formatting for all new classes to match existing code style.
Change package name of test classes to sts?

oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2AuthorizationService.java

s3/src/main/java/ch/cyberduck/core/sts/STSCredentialsRequestInterceptor.java

.github/workflows/build.yml

s3/src/test/java/ch/cyberduck/core/oidc/testenv/OidcAuthenticationTest.java

s3/src/test/java/ch/cyberduck/core/oidc/testenv/OidcAuthorizationTest.java

s3/src/test/resources/S3-OIDC-Testing.cyberduckprofile

s3/src/main/java/ch/cyberduck/core/sts/STSCredentialsRequestInterceptor.java

SheromS · 2023-07-15T15:27:39Z

Code formatting for all new classes is done.
Currently the name of the testing package is oidc_sts. If you wish I change it to sts but in OidcAuthenticationTest there are some tests only considering the oidc part.

- optimize docker-compose network configuration

dkocher

Change package name of new STS related production and test classes to ch.cyberduck.core.sts. While OIDC is part of the specific flow, this could be replaced by other assumeRole implementations using LDAP or other identity providers.

oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2AuthorizationService.java

s3/src/main/java/ch/cyberduck/core/s3/S3WebIdentityTokenExpiredResponseInterceptor.java

s3/src/main/java/ch/cyberduck/core/sts/STSCredentialsRequestInterceptor.java

oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2AuthorizationService.java

core/src/main/java/ch/cyberduck/core/DefaultHostPasswordStore.java

…re.java

.github/workflows/ci.yml

core/src/main/java/ch/cyberduck/core/DefaultHostPasswordStore.java

…DefaultHostPasswordStore.java

oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2AuthorizationService.java

s3/src/test/java/ch/cyberduck/core/sts/OidcAuthenticationTest.java

chenkins · 2023-08-11T10:57:01Z

Closing this pr after discussion with @dkocher - superseded by #14972 .

…enID Connect token from Keycloak (#14893) Co-authored-by: Ismail Cadaroski <ismail.cadaroski@students.fhnw.ch> Co-authored-by: Sherom Sandmeier <sherom.sandmeier@students.fhnw.ch>

SheromS requested a review from a team as a code owner July 9, 2023 14:48

dkocher mentioned this pull request Jul 10, 2023

OIDC+MinIO S3 - Current development stage #14796

Closed

2 tasks

dkocher changed the base branch from master to bugfix/GH-10917-authentication-interceptor July 10, 2023 21:35

SheromS and others added 12 commits July 11, 2023 10:56

add test environment with testcontainers including ci config

eadf6f2

add oAuth interceptor to S3Session

70cf6b1

add testing profile for test environment and test

e40c5ef

authentication tests with testcontainer environment

e6d69f2

add STS Credential Request Interceptor extending oAuth interceptor

56aa0ca

AssumeRoleWithWebIdentity Request is configurable by properties

32fbe3d

define the STS endpoint

d009fe5

add S3WebIdentityTokenExpiredResponseInterceptor.java as a ServiceUna…

aa5d07e

…vailableRetryStrategy

add authorization test cases and refresh tests

9226625

ensure Google IdP compatibility by extracting the idToken

53c6f8a

test different refresh scenarios

7c5093c

code fix and cleanup

3528d70

SheromS force-pushed the feature/oidc-sts-s3 branch from e7ef666 to 3528d70 Compare July 11, 2023 09:14

SheromS changed the base branch from bugfix/GH-10917-authentication-interceptor to master July 11, 2023 09:24

SheromS changed the base branch from master to bugfix/GH-10917-authentication-interceptor July 11, 2023 09:26

dkocher requested changes Jul 12, 2023

View reviewed changes

SheromS added 2 commits July 15, 2023 14:28

id token in refresh and tests, resolving other change requests

5019c21

edge case with expiry time elapsing after network latency

9eb9069

- remove not necessary scopes from S3-OIDC-Testing profile

f13eb58

- optimize docker-compose network configuration

dkocher requested changes Jul 20, 2023

View reviewed changes

package name sts and resolved change requests

f52f694

dkocher reviewed Aug 6, 2023

View reviewed changes

oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2AuthorizationService.java Outdated Show resolved Hide resolved

dkocher changed the base branch from bugfix/GH-10917-authentication-interceptor to feature/GH-13804-minio+keycloak August 7, 2023 06:45

bugfix - prevent NullPointerException in TokenResponse

61ff656

dkocher reviewed Aug 7, 2023

View reviewed changes

core/src/main/java/ch/cyberduck/core/DefaultHostPasswordStore.java Outdated Show resolved Hide resolved

bugfix - get ID Token and not Refresh Token in DefaultHostPasswordSto…

cfcbd35

…re.java

dkocher reviewed Aug 7, 2023

View reviewed changes

.github/workflows/ci.yml Outdated Show resolved Hide resolved

dkocher reviewed Aug 7, 2023

View reviewed changes

core/src/main/java/ch/cyberduck/core/DefaultHostPasswordStore.java Outdated Show resolved Hide resolved

dkocher changed the title ~~Feature/OIDC-STS-S3~~ Connect to Minio with temporary credentials from STS obtained with OpenID Connect token from Keycloak Aug 8, 2023

bugfix - ci.yml cleaned and get ID Token instead of Refresh Token in …

a78a69b

…DefaultHostPasswordStore.java

dkocher reviewed Aug 10, 2023

View reviewed changes

oauth/src/main/java/ch/cyberduck/core/oauth/OAuth2AuthorizationService.java Show resolved Hide resolved

dkocher reviewed Aug 10, 2023

View reviewed changes

s3/src/test/java/ch/cyberduck/core/sts/OidcAuthenticationTest.java Show resolved Hide resolved

chenkins mentioned this pull request Aug 11, 2023

Allow connection profiles to use custom STS and OIDC endpoints #14972

Merged

chenkins closed this Aug 11, 2023

dkocher reopened this Aug 11, 2023

dkocher merged commit 287211c into iterate-ch:feature/GH-13804-minio+keycloak Aug 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Connect to Minio with temporary credentials from STS obtained with OpenID Connect token from Keycloak #14893

Connect to Minio with temporary credentials from STS obtained with OpenID Connect token from Keycloak #14893

SheromS commented Jul 9, 2023 •

edited by dkocher

Loading

dkocher commented Jul 10, 2023

dkocher left a comment •

edited

Loading

SheromS commented Jul 15, 2023

dkocher left a comment •

edited

Loading

chenkins commented Aug 11, 2023

Connect to Minio with temporary credentials from STS obtained with OpenID Connect token from Keycloak #14893

Connect to Minio with temporary credentials from STS obtained with OpenID Connect token from Keycloak #14893

Conversation

SheromS commented Jul 9, 2023 • edited by dkocher Loading

dkocher commented Jul 10, 2023

dkocher left a comment • edited Loading

Choose a reason for hiding this comment

SheromS commented Jul 15, 2023

dkocher left a comment • edited Loading

Choose a reason for hiding this comment

chenkins commented Aug 11, 2023

SheromS commented Jul 9, 2023 •

edited by dkocher

Loading

dkocher left a comment •

edited

Loading

dkocher left a comment •

edited

Loading