Identity Management Plugin

The AIStor Identity Management Plugin provides a REST interface for offloading authentication to an external identity manager with a webhook service.

Client applications can use the AssumeRoleWithCustomToken STS API extension to generate access tokens for AIStor. AIStor verifies this token by making a POST request to the configured plugin endpoint and uses the returned response to determine the authentication status of the client.

Configuration settings

You can configure the AIStor Identity Management Plugin with the following environment variables or configuration settings:

Environment Variables

Specify the following environment variables for each object store in the deployment:

MINIO_IDENTITY_PLUGIN_URL="https://external-auth.example.net:8080/auth"
MINIO_IDENTITY_PLUGIN_ROLE_POLICY="consoleAdmin"

# All other envvars are optional
MINIO_IDENTITY_PLUGIN_TOKEN="Bearer TOKEN"
MINIO_IDENTITY_PLUGIN_ROLE_ID="external-auth-provider"
MINIO_IDENTITY_PLUGIN_COMMENT="External Identity Management using PROVIDER"

Configuration Settings

Specify the following settings with the mc admin config set command:

mc admin config set identity_plugin \
   url="https://external-auth.example.net:8080/auth" \
   role_policy="consoleAdmin" \

   # All other config settings are optional
   token="Bearer TOKEN" \
   role_id="external-auth-provider" \
   comment="External Identity Management using PROVIDER"

Authentication and authorization flow

The login flow for an application is as follows:

Make a POST request using the AssumeRoleWithCustomToken API.

The request includes a token used by the configured external identity manager for authenticating the client.
AIStor makes a POST call to the configured identity plugin URL using the token specified to the STS API.

On successful authentication, the identity manager returns a 200 OK response with an application/json content-type and body with the following structure:

{
   "user": "<string>",
   "maxValiditySeconds": 3600,
   "claims": {"KEY": "VALUE", ...]}
}

`user`	The owner of the requested credentials
`maxValiditySeconds`	The maximum allowed expiry duration for the returned credentials
`claims`	A JSON string of `"key": "value"` pair claim(s) associated with the requested credentials. AIStor reserves and ignores the `exp`, `parent`, and `sub` claims objects if present.

AIStor returns a response to the STS API request that includes temporary credentials for use with making authenticated requests.

If the identity manager rejects the authentication request or otherwise encounters an error, the response must return a 403 FORBIDDEN HTTP status code with an application/json content-type and body with the following structure:

{
     "reason": "<string>"
}

The "reason" field should include the reason for the 403.

Create policies to match claims

Use either the AIStor console or the mc admin policy command to create policies that match one or more claim values.