OpenID - make it friendly with minio [s3 spec]

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Insight

I have just deployed a minio instance, finally managed to setup OpenID authentication via selfhosted GitLab and started working on dynamic permission policies (minio docs, see #policy-variables).

What I wanted to configure is dynamic access permission policies, basically allowing a user with username aljaxus and is in groups grp1and grp2 to have all permissions on buckets aljaxus, grp1 and grp2.

But this is not possible to implement with the username (groups are provided, but there's another problem with minio itself minio/minio#11303) because GitLab does not pass the username property in the OpenID JWT value.

Action

What I would like to request, is that GitLab passes the username property in the OpenID JWT, as it currently only provides nickname, and even that is only available with a separate request and not directly in the JWT.

The username property should have the same value as nickname. I'd also like to ask for the groups property to be included, in the JWT value.

Resources

• 📖 gitlab openid docs: https://docs.gitlab.com/ee/integration/openid_connect_provider.html#shared-information
• 📖 minio openid docs: https://docs.min.io/minio/baremetal/security/openid-external-identity-management/configure-openid-external-identity-management.html
• 📖 minio policy variables docs: https://docs.min.io/docs/minio-multi-user-quickstart-guide.html
• 📃 minio issue on groups handling: https://github.com/minio/minio/issues/11303