From 3ead66825b2571841cbb92b9ce96e39fdbd4e600 Mon Sep 17 00:00:00 2001
From: Bala FA <bala@minio.io>
Date: Wed, 13 Nov 2024 16:15:42 +0530
Subject: [PATCH] WebIdentityClientGrantsProvider: use 'id_token' as fallback
 to 'access_token' (#1457)

Signed-off-by: Bala.FA <bala@minio.io>
---
 minio/credentials/providers.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/minio/credentials/providers.py b/minio/credentials/providers.py
index ee232a254..718d245ab 100644
--- a/minio/credentials/providers.py
+++ b/minio/credentials/providers.py
@@ -654,9 +654,10 @@ def retrieve(self) -> Credentials:
         if self._policy:
             query_params["Policy"] = self._policy
 
+        access_token = jwt.get("access_token") or jwt.get("id_token", "")
         if self._is_web_identity():
             query_params["Action"] = "AssumeRoleWithWebIdentity"
-            query_params["WebIdentityToken"] = jwt.get("id_token", "")
+            query_params["WebIdentityToken"] = access_token
             if self._role_arn:
                 query_params["RoleArn"] = self._role_arn
                 query_params["RoleSessionName"] = (
@@ -666,7 +667,7 @@ def retrieve(self) -> Credentials:
                 )
         else:
             query_params["Action"] = "AssumeRoleWithClientGrants"
-            query_params["Token"] = jwt.get("id_token", "")
+            query_params["Token"] = access_token
 
         url = self._sts_endpoint + "?" + urlencode(query_params)
         res = _urlopen(self._http_client, "POST", url)