MinIO官方文档对于没有OpenID基础的人来说,写的不太清楚。这次配置被 Claim Name 搞的要死,起初根本不知道这是啥玩意儿。总是出以下错误:

Policy claim missing from the JWT token, credentials will not be generated

Claim Name 是只 OpenID 服务器那边返回的 JWT 令牌里包含的字段名,并以此字段内容作为作为权限(Policies)名称并赋予用户相应的权限。而我是要跟微软的授权系统进行集成,而微软授权系统返回的 JWT 令牌里没有 MinIO 默认需要的 policy 这个字段。就导致了以上错误。

通过以下命令可以获取 MinIO 服务器的 OpenID 配置。

mc admin config get local identity_openid

会得到类似下面的信息:

identity_openid:Office365 display_name= config_url=https://login.microsoftonline.com/xxx/v2.0/.well-known/openid-configuration client_id=xxxe1bdab0 client_secret=xxx3SpaP2 claim_name=groups claim_userinfo=on role_policy= claim_prefix= redirect_uri=https://minio.example/oauth_callback redirect_uri_dynamic=off scopes= vendor= keycloak_realm= keycloak_admin_url=

现对于网页版管理界面,这个可以准确的知道已经被应用的服务器的配置,网页上需要刷新,否则不一定准确,因为有可能保存失败。

通过以下命令监控统一登录信息:

mc admin trace -v -a local

在使用 OpenID 进行登陆时,会得到类似下面的信息:

127.0.0.1:9000  [OS os.Lstat] [2023-03-14T15:07:54.084] /data/.minio.sys/format.json 23.653µs
127.0.0.1:9000 [REQUEST sts.AssumeRoleWithSSO] [2023-03-14T15:08:06.090] [Client IP: 127.0.0.1]
127.0.0.1:9000 POST /
127.0.0.1:9000 Proto: HTTP/1.1
127.0.0.1:9000 Host: 127.0.0.1:9000
127.0.0.1:9000 Content-Type: application/x-www-form-urlencoded
127.0.0.1:9000 User-Agent: Go-http-client/1.1
127.0.0.1:9000 Content-Length: 1198
127.0.0.1:9000 Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&Version=2011-06-15&WebIdentityToken=eyJ0eXAiOiJKV1QiLCJxxxxxxIi1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiIzMDRiYjIzZS0wZWY5LTQzNzItOWU0OC0wYWQ3N2UxYmRhYjAixxxxZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNzc4MTcyYzctZGQ2MC00ZTllLThkMTItNzFhNThmZTQ4ZmY2L3YyLjAiLCJpYXQiOjE2NxxxxM4NSwiZXhwIjoxNjc4NzgxMjg1LCJlbWFpbCI6ImxpbnhpQHJ6b24udGVjaCIsIm5hbWUiOiLmnpcg5biMIiwib2lkIjoiMzE2ZTc0YjQtNzZiOC00NzU0LWIxNWItMTkxYWI3MzliNTkyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibGlueGlAcnpvbi50ZWNoIiwicmgiOiIwLkFYQUF4M0tCZDJEZxxxxxxxJCd0FEby4iLCJzdWIiOiJmSUw1dHlMbVFzd3pNV3lITkkzZDVqUGF1MkRxxxx4MTcyYzctZGQ2MC00ZTllLThkMTItNzFhNThmZTQ4ZmY2IiwidXRpIjoiYUg1UWUwTVJvRXlKQ0NOVVJZeUdBQSIsInZlciI6IjIuMCJ9.V7IYVVuglODuwwGzxxxxQa-LWJUKG2qgZV_MHGO3TetSQwPgwD0XdxxxxFacQ69a4C_qy3qZct_1Id-CV43YVsodiC4iZQ953Qy_VvO5dZ9ajQBPUodAnVAmFcD3gFIxxxxPUYxpsvbH3NHuxMB8wHJEfS_s2yp4RQ79aSOOkCS8VyojpSKpxxxxO8t-j68VzQOsB_3Pea1vg8UWo6Cz_lItTLje0NBB415r2A
127.0.0.1:9000 [RESPONSE] [2023-03-14T15:08:06.091] [ Duration 463µs  ↑ 1.2 KiB  ↓ 314 B ]
127.0.0.1:9000 400 Bad Request
127.0.0.1:9000 Content-Type: application/xml
127.0.0.1:9000 Server: MinIO
127.0.0.1:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
127.0.0.1:9000 X-Amz-Request-Id: 174C3769344BEF85
127.0.0.1:9000 X-Content-Type-Options: nosniff
127.0.0.1:9000 X-Xss-Protection: 1; mode=block
127.0.0.1:9000 Accept-Ranges: bytes
127.0.0.1:9000 Content-Length: 314
127.0.0.1:9000 X-Amz-Id-2: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
127.0.0.1:9000 Content-Security-Policy: block-all-mixed-content
127.0.0.1:9000 Vary: Origin
127.0.0.1:9000 <?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"><Error><Type></Type><Code>InvalidParameterValue</Code><Message>policy claim missing from the JWT token, credentials will not be generated</Message></Error><RequestId>174C3769344BEF85</RequestId></ErrorResponse>
127.0.0.1:9000
127.0.0.1:9000  [OS os.Lstat] [2023-03-14T15:08:09.084] /data/.minio.sys/format.json 20.816µs

把其中的 WebIdentityToken 信息复制到 jwt.io,可以看到 JWT 令牌中都包含了哪些信息。如果有合适作为授权的字段,那就将其设置到 Claim Name。如果没有,则需要去配置 OpenID 服务器,增加合适的字段。

  1. policy claim missing from the JWT token
  2. Claim missing from the JWT token, credentials will not be generated
  3. AssumeRoleWithWebIdentity
  4. Provide optional claims to your app
  5. Authentication with Keycloak keeps redirecting to Login with SSO in console

发表回复

您的电子邮箱地址不会被公开。