mirror of
https://github.com/minio/docs.git
synced 2025-08-06 14:42:56 +03:00
113 lines
3.3 KiB
ReStructuredText
113 lines
3.3 KiB
ReStructuredText
.. start-minio-oidc-policy-variables
|
|
|
|
The following table contains a list of supported policy variables for use in authorizing :ref:`OIDC-managed users <minio-external-identity-management-openid>`.
|
|
|
|
Each variable corresponds to a claim returned as part of the authenticated user's JWT token:
|
|
|
|
.. list-table::
|
|
:header-rows: 1
|
|
:widths: 40 60
|
|
:width: 100%
|
|
|
|
* - Variable
|
|
- Description
|
|
|
|
* - ``jwt:sub``
|
|
- Returns the ``sub`` claim for the user.
|
|
|
|
* - ``jwt:iss``
|
|
- Returns the Issuer Identifier claim from the ID token.
|
|
|
|
* - ``jwt:aud``
|
|
- Returns the Audience claim from the ID token.
|
|
|
|
* - ``jwt:jti``
|
|
- Returns the JWT ID claim from the client authentication information.
|
|
|
|
* - ``jwt:upn``
|
|
- Returns the User Principal Name claim from the client authentication information.
|
|
|
|
* - ``jwt:name``
|
|
- Returns the ``name`` claim for the user.
|
|
|
|
* - ``jwt:groups``
|
|
- Returns the ``groups`` claim for the user.
|
|
|
|
* - ``jwt:given_name``
|
|
- Returns the ``given_name`` claim for the user.
|
|
|
|
* - ``jwt:family_name``
|
|
- Returns the ``family_name`` claim for the user.
|
|
|
|
* - ``jwt:middle_name``
|
|
- Returns the ``middle_name`` claim for the user.
|
|
|
|
* - ``jwt:nickname``
|
|
- Returns the ``nickname`` claim for the user.
|
|
|
|
* - ``jwt:preferred_username``
|
|
- Returns the ``preferred_username`` claim for the user.
|
|
|
|
* - ``jwt:profile``
|
|
- Returns the ``profile`` claim for the user.
|
|
|
|
* - ``jwt:picture``
|
|
- Returns the ``picture`` claim for the user.
|
|
|
|
* - ``jwt:website``
|
|
- Returns the ``website`` claim for the user.
|
|
|
|
* - ``jwt:email``
|
|
- Returns the ``email`` claim for the user.
|
|
|
|
* - ``jwt:gender``
|
|
- Returns the ``gender`` claim for the user.
|
|
|
|
* - ``jwt:birthdate``
|
|
- Returns the ``birthdate`` claim for the user.
|
|
|
|
* - ``jwt:phone_number``
|
|
- Returns the ``phone_number`` claim for the user.
|
|
|
|
* - ``jwt:address``
|
|
- Returns the ``address`` claim for the user.
|
|
|
|
* - ``jwt:scope``
|
|
- Returns the ``scope`` claim for the user.
|
|
|
|
* - ``jwt:client_id``
|
|
- Returns the ``client_id`` claim for the user.
|
|
|
|
See the `OpenID Connect Core 1.0 <https://openid.net/specs/openid-connect-core-1_0.html>`__ document for more information on these scopes.
|
|
Your OIDC provider of choice may have more specific documentation.
|
|
|
|
For example, the following policy uses variables to substitute the authenticated user's ``PreferredUsername`` as part of the ``Resource`` field such that the user can only access those prefixes which match their username:
|
|
|
|
.. code-block:: json
|
|
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": ["s3:ListBucket"],
|
|
"Effect": "Allow",
|
|
"Resource": ["arn:aws:s3:::mybucket"],
|
|
"Condition": {"StringLike": {"s3:prefix": ["${jwt:PreferredUsername}/*"]}}
|
|
},
|
|
{
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:PutObject"
|
|
],
|
|
"Effect": "Allow",
|
|
"Resource": ["arn:aws:s3:::mybucket/${jwt:PreferredUsername}/*"]
|
|
}
|
|
]
|
|
}
|
|
|
|
MinIO replaces the ``${jwt:PreferredUsername}`` variable in the ``Resource`` field with the value of the ``PreferredUsername`` in the JWT token.
|
|
MinIO then evaluates the policy and grants or revokes access to the requested API and resource.
|
|
|
|
.. end-minio-oidc-policy-variables
|
|
|