ARGS:
config_url*   (url)       openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"
client_id     (string)    unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"
claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"

	"github.com/minio/pkg/v3/policy"
)

// OpenID keys and envs.
const (
	ClientID          = "client_id"
	ClientSecret      = "client_secret"
	ConfigURL         = "config_url"
	ClaimName         = "claim_name"
	ClaimUserinfo     = "claim_userinfo"
	RolePolicy        = "role_policy"
	DisplayName       = "display_name"
	UserReadableClaim = "user_readable_claim"
	UserIDClaim       = "user_id_claim"

ARGS:
config_url*   (url)       openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"
client_id     (string)    unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"
claim_name    (string)    JWT canned policy claim name, defaults to "policy"
claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"

call.

2. `id_token` claims: When the role policy is not configured, MinIO looks for a specific claim in the `id_token` (JWT) returned by the OpenID provider in the STS request. The default claim is `policy` and can be overridden by the `claim_name` configuration parameter or the `MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable. The claim value can be a string (comma-separated list) or an array of IAM access policy names defined in the server. A `RoleArn` API request parameter *must...

		}
		if rolePolicies[i] != "" {
			configCmds = append(configCmds, fmt.Sprintf("role_policy=%s", rolePolicies[i]))
		} else {
			configCmds = append(configCmds, "claim_name=groups")
		}
		_, err := s.adm.SetConfigKV(ctx, strings.Join(configCmds, " "))
		if err != nil {
			return fmt.Errorf("unable to setup OpenID for tests: %v", err)
		}
	}

	s.RestartIAMSuite(c)

lue":""},{"key":"lookup_bind_password","value":""}]},"identity_openid":{"_":[{"key":"enable","value":""},{"key":"display_name","value":""},{"key":"config_url","value":""},{"key":"client_id","value":""},{"key":"client_secret","value":""},{"key":"claim_name","value":"policy"},{"key":"claim_userinfo","value":""},{"key":"role_policy","value":""},{"key":"claim_prefix","value":""},{"key":"redirect_uri","value":""},{"key":"redirect_uri_dynamic","value":"off"},{"key":"scopes","value":""},{"key":"vendor"...

	roleArn  arn.ARN
	provider provider.Provider
}

func newProviderCfgFromConfig(getCfgVal func(cfgName string) string) providerCfg {
	return providerCfg{
		DisplayName:        getCfgVal(DisplayName),
		ClaimName:          getCfgVal(ClaimName),
		ClaimUserinfo:      getCfgVal(ClaimUserinfo) == config.EnableOn,
		ClaimPrefix:        getCfgVal(ClaimPrefix),
		RedirectURI:        getCfgVal(RedirectURI),

            {{- else }}
              value: {{ .Values.oidc.clientSecret }}
            {{- end }}
            - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
              value: {{ .Values.oidc.claimName }}
            - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
              value: {{ .Values.oidc.claimPrefix }}
            - name: MINIO_IDENTITY_OPENID_SCOPES
              value: {{ .Values.oidc.scopes }}

            {{- else }}
              value: {{ .Values.oidc.clientSecret }}
            {{- end }}
            - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
              value: {{ .Values.oidc.claimName }}
            - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
              value: {{ .Values.oidc.claimPrefix }}
            - name: MINIO_IDENTITY_OPENID_SCOPES
              value: {{ .Values.oidc.scopes }}

/.well-known/openid-configuration" clientId: "minio" clientSecret: "" # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientSecret` existingClientSecret: "" existingClientSecret: "" claimName: "policy" scopes: "openid,profile,email" redirectUri: "https://console-endpoint-url/oauth_callback" # Can leave empty claimPrefix: "" comment: "" networkPolicy: enabled: false allowExternal: true ## PodDisruptionBudget settings ## ref: https://k...