minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-05-28 00:41:14 +03:00
Code
docs/source/includes/common/common-minio-oidc.rst

3.3 KiB
Raw Blame History

The following table contains a list of supported policy variables for use in authorizing OIDC-managed users <minio-external-identity-management-openid>.

Each variable corresponds to a claim returned as part of the authenticated user's JWT token:

Variable Description
jwt:sub Returns the sub claim for the user.
jwt:iss Returns the Issuer Identifier claim from the ID token.
jwt:aud Returns the Audience claim from the ID token.
jwt:jti Returns the JWT ID claim from the client authentication information.
jwt:upn Returns the User Principal Name claim from the client authentication information.
jwt:name Returns the name claim for the user.
jwt:groups Returns the groups claim for the user.
jwt:given_name Returns the given_name claim for the user.
jwt:family_name Returns the family_name claim for the user.
jwt:middle_name Returns the middle_name claim for the user.
jwt:nickname Returns the nickname claim for the user.
jwt:preferred_username Returns the preferred_username claim for the user.
jwt:profile Returns the profile claim for the user.
jwt:picture Returns the picture claim for the user.
jwt:website Returns the website claim for the user.
jwt:email Returns the email claim for the user.
jwt:gender Returns the gender claim for the user.
jwt:birthdate Returns the birthdate claim for the user.
jwt:phone_number Returns the phone_number claim for the user.
jwt:address Returns the address claim for the user.
jwt:scope Returns the scope claim for the user.
jwt:client_id Returns the client_id claim for the user.

See the OpenID Connect Core 1.0 document for more information on these scopes. Your OIDC provider of choice may have more specific documentation.

For example, the following policy uses variables to substitute the authenticated user's PreferredUsername as part of the Resource field such that the user can only access those prefixes which match their username:

{
"Version": "2012-10-17",
"Statement": [
      {
         "Action": ["s3:ListBucket"],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket"],
         "Condition": {"StringLike": {"s3:prefix": ["${jwt:PreferredUsername}/*"]}}
      },
      {
         "Action": [
         "s3:GetObject",
         "s3:PutObject"
         ],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket/${jwt:PreferredUsername}/*"]
      }
   ]
}

MinIO replaces the ${jwt:PreferredUsername} variable in the Resource field with the value of the PreferredUsername in the JWT token. MinIO then evaluates the policy and grants or revokes access to the requested API and resource.