dockersingle-sign-onopenidminiofusionauth

Groups claim missing from JWT generated by fusionauth while setting up sso with fusionauth

I am trying to link fusionauth as an SSO provider for minio, but facing the following error

<?xml version="1.0" encoding="UTF-8"?\>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"><Error><Type></Type><Code\>InvalidParameterValue\</Code\>\<Message\>groups claim missing from the JWT token, credentials will not be generated</Message></Error><RequestId>175A7B8469F151BB</RequestId\></ErrorResponse\>

Upon inspecting the JWT sent by Fusionauth, the payload is

{
  "aud": "55ad32c7-99eb-40e9-abc0-479c2f18c18e",
  "exp": 1682796819,
  "iat": 1682793219,
  "iss": "acme.com",
  "sub": "ad58f73f-79fd-4806-86f7-cd9d48b65400",
  "jti": "85e0a440-c254-4684-9c7b-caa830c1d491",
  "authenticationType": "PASSWORD",
  "email": "admin@admin.com",
  "email_verified": true,
  "at_hash": "wLcTvHBgOMQblFXSJCEr2w",
  "c_hash": "N9XJhvfh8Cz0sKnWjw3TEQ",
  "scope": "openid offline_access",
  "sid": "8ed4559c-1d86-41db-9312-cfd2e42d0fc4",
  "auth_time": 1682793219,
  "tid": "42178a6c-35ab-6c81-f8f9-4696fc894a60"
}

which is indeed missing the groups claim. I have created roles in the application which correspond to minio bucket policy names and also added them to the user I am trying to authenticate. Also I have made a group named minio which has all these roles and it is attached to the user as well. What am I doing wrong? How can I send the role names through the jwt so that mino authenticates with fusionauth?

Sharing my minio OpenID settings here

https://i.sstatic.net/jAmei.png

I tried adding roles to the user and attached it to the group

Solution

  • I believe what you are looking for is to use a JWT Populate Lambda to add in the additional claims that you need. The documentation for that is here:

    https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate

    This should allow you to add the groups claim in whatever format is required.

    Then, you just need to associate the Lambda with the Application. This is done by editing the Application and clicking on the JWT tab. At the bottom of this tab, you'll find the setting named Access Token populate lambda. This controls the Lambda that is used to manipulate the JWT.