Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

not possible to manage oidc users #3436

Closed
thanks4wifi opened this issue Sep 11, 2024 · 3 comments
Closed

not possible to manage oidc users #3436

thanks4wifi opened this issue Sep 11, 2024 · 3 comments
Labels
community triage

Comments

@thanks4wifi
Copy link

NOTE

I was asked to revoke all service accounts associated with one of our users OIDC accounts in minio.

I figured I'd be able to login to the admin console and look for user@email or their account name but found that the user management only lists local users.

I could not find any way to go from user@email or account name to a minio identifier for the user, which made it impossible to use the ui or cli to list service accounts associated with the user in question.

Ideally I'd like to have a process in place for when/if we have a security incident that does not rely on the user to provide us with an access key so we can do a lookup on it to find their minio identifier.

I don't think the current treatment of OIDC users is safe.

Expected Behavior

It should be possible to quickly lookup and revoke access keys for a known OIDC user, like one can currently do for local minio users.

Current Behavior

You had better hope you have an access key associated with the user, otherwise you might need to login to one of the minio servers and grep -ir to hopefully find their minio identifier.

One should not need to run a grep to find this information, it should be either a quick api request or a few button clicks at most.

Possible Solution

Track and list OIDC users in the user management area.

Also make it possible to lookup an OIDC user by their email/name or something. The current hashes identifiers are mostly useless for administration purposes.

Steps to Reproduce (for bugs)

  1. setup OIDC for 1,000 users
  2. be asked to list / revoke all service accounts associated with user 858

Context

Not being able to manage OIDC users makes it hard to keep our minio deployment secure.

Regression

No.

Your Environment

  • MinIO version used (minio --version): 2024-06-29T01:20:47Z
  • Server setup and configuration: k8s
  • Operating System and version (uname -a): linux
@ramondeklein
Copy link
Collaborator

ramondeklein commented Sep 16, 2024
edited
Loading

The AssumeRoleWithWebIdentity endpoint generates temporary access credentials using a JWT that is returned from the configured OpenID provider. Note that the returned JWT is also valid for a longer period (as specified in the exp claim). Just as you cannot ask the OpenID provider for a list of issued JWT tokens, you cannot ask MinIO for a list of temporary credentials.

The reason is simple... The credentials are not stored in MinIO itself, but the credentials hold all the information and is signed, so tampered credentials will be detected. Because the credentials are not stored inside MinIO, there is no way to list them. Even if you would be able to revoke the MinIO credentials, then the user could obtain new MinIO credentials, until the OIDC provider issued JWT has expired. The JWT would still be valid, so MinIO will create credentials for them.

@thanks4wifi
Copy link
Author

thanks4wifi commented Sep 16, 2024
edited
Loading

But someone who logs in via OIDC is able to issue new service account credentials which live for longer than the initial JWT that was used to auth to Minio.

How do I list those?

@ramondeklein
Copy link
Collaborator

You can't list temporary issued tokens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ramondeklein @thanks4wifi