idp: Use 900 seconds as minimum expiry without returning an error (#3022)

vadmeste · Anis Elleuch · bexsoft · web-flow · commit 50d6a3931274 · 2023-09-02T07:50:45.000-07:00
Do not bother the user with an error if the IDP expiry is less than
900 seconds, since the S3 spec sets a minimum of 900 seconds for STS
expiration, use that minimum duration instead of returning an error

Co-authored-by: Anis Elleuch &lt;anis@min.io&gt;
Co-authored-by: Alex &lt;33497058+bexsoft@users.noreply.github.com&gt;
diff --git a/pkg/auth/idp/oauth2/provider.go b/pkg/auth/idp/oauth2/provider.go
@@ -341,6 +341,12 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
 			expiration = exp
 		}
 
+		// Minimum duration in S3 spec is 15 minutes, do not bother returning
+		// an error to the user and force the minimum duration instead
+		if expiration < 900*time.Second {
+			expiration = 900 * time.Second
+		}
+
 		idToken := oauth2Token.Extra("id_token")
 		if idToken == nil {
 			return nil, errors.New("missing id_token")
