Fix IAM OIDC role mapping and OIDC claims in trust policy (#8104)

* Fix IAM OIDC role mapping and OIDC claims in trust policy * Address PR review: Add config safety checks and refactor tests
2026-01-23 21:35:26 -08:00
parent 57a16b0b87
commit 6394e2f6a5
3 changed files with 108 additions and 3 deletions
--- a/weed/iam/integration/iam_manager.go
+++ b/weed/iam/integration/iam_manager.go
@@ -508,6 +508,18 @@ func (m *IAMManager) validateTrustPolicyForWebIdentity(ctx context.Context, role
 		}
 		// Custom claims can be prefixed if needed, but for "be 100% compatible with AWS",
 		// we should rely on standard OIDC claims.
+
+		// Add all other claims with oidc: prefix to support custom claims in trust policies
+		// This enables checking claims like "oidc:roles", "oidc:groups", "oidc:email", etc.
+		for k, v := range tokenClaims {
+			// Skip claims we've already handled explicitly or shouldn't expose
+			if k == "iss" || k == "sub" || k == "aud" {
+				continue
+			}
+
+			// Add with oidc: prefix
+			requestContext["oidc:"+k] = v
+		}
 	}

 	// Add DurationSeconds to context if provided