From 06bd1e582a416507c0adb0f01dbf06eddf62b4ed Mon Sep 17 00:00:00 2001
From: Sergey Morgunov <hostage@me.com>
Date: Fri, 22 Nov 2019 04:45:15 +0300
Subject: [PATCH] Log in with OIDC not work with MINIO_DOMAIN (#8558) (#8559)

---
 cmd/generic-handlers.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cmd/generic-handlers.go b/cmd/generic-handlers.go
index 537febe6f..a45389f64 100644
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@@ -152,6 +152,7 @@ func containsReservedMetadata(header http.Header) bool {
 const (
 	minioReservedBucket     = "minio"
 	minioReservedBucketPath = SlashSeparator + minioReservedBucket
+	loginPathPrefix         = SlashSeparator + "login"
 )
 
 // Adds redirect rules for incoming requests.
@@ -279,6 +280,16 @@ func isAdminReq(r *http.Request) bool {
 	return strings.HasPrefix(r.URL.Path, adminPathPrefix)
 }
 
+// guessIsLoginSTSReq - returns true if incoming request is Login STS user
+func guessIsLoginSTSReq(req *http.Request) bool {
+	if req == nil {
+		return false
+	}
+	return strings.HasPrefix(req.URL.Path, loginPathPrefix) ||
+		(req.Method == http.MethodPost && req.URL.Path == SlashSeparator &&
+			getRequestAuthType(req) == authTypeSTS)
+}
+
 // Adds verification for incoming paths.
 type minioReservedBucketHandler struct {
 	handler http.Handler
@@ -608,7 +619,7 @@ type bucketForwardingHandler struct {
 func (f bucketForwardingHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if globalDNSConfig == nil || len(globalDomainNames) == 0 ||
 		guessIsHealthCheckReq(r) || guessIsMetricsReq(r) ||
-		guessIsRPCReq(r) || isAdminReq(r) {
+		guessIsRPCReq(r) || guessIsLoginSTSReq(r) || isAdminReq(r) {
 		f.handler.ServeHTTP(w, r)
 		return
 	}