Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suport to login using temporary credentials from Security Token Service (STS API) using OpenID Connect web identity #13804

Closed
EternalDeiwos opened this issue Oct 18, 2022 · 3 comments · Fixed by #14893 or #14972
Closed

Suport to login using temporary credentials from Security Token Service (STS API) using OpenID Connect web identity #13804

EternalDeiwos opened this issue Oct 18, 2022 · 3 comments · Fixed by #14893 or #14972
Assignees
@dkocher
Labels
s3 AWS S3 Protocol Implementation
Milestone
8.7.0

Comments

@EternalDeiwos
Copy link

I considered writing this on #13377 or #13381, however these are mostly related to AWS specifically which isn't quite what I am looking for. I am currently using Wasabi for S3 and looking for a way to authenticate users from an IdP (SSO).

Wasabi supports AssumeRole, however to use that directly I would need to create users on Wasabi and manage their privileges there; and I would rather manage user accounts and their privileges from our IdP.

My goals are:

  1. Avoid users having to use anything other than Cyberduck. Users should be able to install a profile and be prompted to login.
  2. Configuring privileges (roles) is handled outside of Cyberduck.
  3. Should be compatible with anything that returns credentials in a valid format, e.g. AssumeRoleWithWebIdentityResponse or AssumeRoleResponse

I would like to do something like the following:

  1. Cyberduck opens a browser window to a configurable URL (as it does for Dropbox/GDrive).
  2. User authenticates in the browser window to an external service.
  3. External service uses Wasabi's STS to create appropriately privileged temporary credentials.
  4. Callback to Cyberduck with ??? (see below)

I am not entirely sure how the callback to Wasabi could be done or what is feasible. The Cyberduck would obviously need the credentials, and some way to refresh the credentials when they are about to expire, like a session token or cookie.

While AWS' S3 SDK is very general and allows access to any compliant service, their authentication, particularly related to SSO seems to be very locked to their IdP. Additionally, using an external configuration file (e.g. ~/.aws/credentials) is not user friendly.

I've read through the documentation and not found anything helpful, and neither are other issues on the topic such as this one: #11133
@dkocher dkocher added the s3 AWS S3 Protocol Implementation label Oct 18, 2022
@dkocher dkocher self-assigned this Oct 18, 2022
@dkocher
Copy link
Contributor

dkocher commented Dec 2, 2022
edited

Related documentation from Minio.

OpenID Connect Access Management

@dkocher dkocher added this to the 9.0 milestone May 24, 2023
@dkocher dkocher mentioned this issue Jun 4, 2023
Open
@dkocher dkocher mentioned this issue Jun 14, 2023
Closed
2 tasks
@dkocher
Copy link
Contributor

dkocher commented Jul 4, 2023

Wasabi Documentation 1

Footnotes

  1. https://docs.wasabi.com/docs/iam-and-sts-support?highlight=assumerole

@dkocher dkocher modified the milestones: 9.0, 8.7.0 Jul 4, 2023
@SheromS SheromS mentioned this issue Jul 9, 2023
Merged
5 tasks
This was referenced Aug 7, 2023
Closed
Merged
dkocher added a commit that referenced this issue Aug 11, 2023
@dkocher
Merge pull request #14988 from iterate-ch/feature/GH-13804-oidc-keycl…
ffaf8af 
…oak-simplified

Slimmed keycloak-realm.json.
dkocher added a commit that referenced this issue Aug 16, 2023
@dkocher
Merge pull request #15001 from iterate-ch/feature/GH-13804-oidc-fix-s…
1ce1d72 
…ts-containertests

Bugfix STS testcontainer tests (BeforeClass annotation in abstract te…
dkocher added a commit that referenced this issue Aug 22, 2023
@dkocher
Merge pull request #15021 from iterate-ch/feature/GH-13804-oidc-fix-s…
2ca4ef4 
…ts-testcontainer-tests
@dkocher dkocher changed the title Support for non-AWS STS for S3 Suport to login using temporary credentials from STS API using OpenID Connect web identity Aug 24, 2023
@dkocher dkocher changed the title Suport to login using temporary credentials from STS API using OpenID Connect web identity Suport to login using temporary credentials from Security Token Service (STS API) using OpenID Connect web identity Aug 24, 2023
dkocher added a commit that referenced this issue Aug 28, 2023
@dkocher
Merge pull request #14972 from iterate-ch/feature/GH-13804-oidc
f5df84d 
Allow connection profiles to use custom STS and OIDC endpoints
@dkocher
Copy link
Contributor

dkocher commented Aug 28, 2023

The feature is now available in the latest snapshot build. You are welcome to give it a try with your setup. We have tested the combinations available as connection profiles in 1:

The setup steps required in AWS are outlined in 2. Feedback is much appreciated.

Footnotes

  1. Sample connection profiles for S3 and OpenID Connect Federation profiles#58

  2. Sample connection profiles for S3 and OpenID Connect Federation profiles#55

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dkocher dkocher

Labels
s3 AWS S3 Protocol Implementation
Projects
None yet
Milestone
8.7.0
2 participants
@dkocher @EternalDeiwos