rgw/sts: Use client_id for assumerolewithwebidentityresponse

if aud is not present in JWT.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit b5bbeb7ea3a65bfed368f834cc6c11fa23ee24e1)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 2c61b8361a2bbdbf4db75dbcdf71cf3c059dcb70..dbf055cf0fb6ee79fe70ca7de47eb6474a25a7a1 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -433,7 +433,15 @@ void rgw::auth::WebIdentityApplier::load_acct_info(const DoutPrefixProvider* dpp
 void rgw::auth::WebIdentityApplier::modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const
 {
   s->info.args.append("sub", this->sub);
-  s->info.args.append("aud", this->aud);
+  //this is needed for AssumeRoleWithWebIdentityResponse
+  //but if aud is not present in the token, client id can be used
+  //from AWS docs - "The intended audience (also known as client ID) of the web identity token."
+  //https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
+  if (this->aud.empty() && !this->client_id.empty()) {
+    s->info.args.append("aud", this->client_id);
+  } else {
+    s->info.args.append("aud", this->aud);
+  }
   s->info.args.append("provider_id", this->iss);
   s->info.args.append("client_id", this->client_id);