From 22e76a5dc97a2a82d77475ba1fa394c0e3400bcf Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Mon, 12 Jan 2026 00:52:41 -0800
Subject: [PATCH] debug

---
 test/s3/iam/iam_config.local.json   |  8 ++++----
 weed/iam/integration/iam_manager.go | 10 +++++++++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/test/s3/iam/iam_config.local.json b/test/s3/iam/iam_config.local.json
index 30522771b..4817988c7 100644
--- a/test/s3/iam/iam_config.local.json
+++ b/test/s3/iam/iam_config.local.json
@@ -19,11 +19,11 @@
       "type": "oidc",
       "enabled": true,
       "config": {
-        "issuer": "http://localhost:8090/realms/seaweedfs-test",
+        "issuer": "http://localhost:8080/realms/seaweedfs-test",
         "clientId": "seaweedfs-s3",
         "clientSecret": "seaweedfs-s3-secret",
-        "jwksUri": "http://localhost:8090/realms/seaweedfs-test/protocol/openid-connect/certs",
-        "userInfoUri": "http://localhost:8090/realms/seaweedfs-test/protocol/openid-connect/userinfo",
+        "jwksUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/certs",
+        "userInfoUri": "http://localhost:8080/realms/seaweedfs-test/protocol/openid-connect/userinfo",
         "scopes": [
           "openid",
           "profile",
@@ -342,4 +342,4 @@
       }
     }
   ]
-}
+}
\ No newline at end of file
diff --git a/weed/iam/integration/iam_manager.go b/weed/iam/integration/iam_manager.go
index 93ae2090d..2afd08791 100644
--- a/weed/iam/integration/iam_manager.go
+++ b/weed/iam/integration/iam_manager.go
@@ -395,18 +395,26 @@ func (m *IAMManager) validateTrustPolicyForWebIdentity(ctx context.Context, role
 			requestContext["aws:FederatedProvider"] = iss
 			requestContext["oidc:iss"] = iss
 
+			fmt.Printf("DEBUG: validateTrustPolicyForWebIdentity - Issuer: %s\n", iss)
+
 			// Try to resolve provider name from issuer for better policy matching
 			// This allows policies to reference the provider name (e.g. "keycloak") instead of the full issuer URL
 			if m.stsService != nil {
 				for name, provider := range m.stsService.GetProviders() {
 					if oidcProvider, ok := provider.(interface{ GetIssuer() string }); ok {
-						if oidcProvider.GetIssuer() == iss {
+						confIssuer := oidcProvider.GetIssuer()
+						fmt.Printf("DEBUG: Checking provider %s: config_issuer='%s' vs token_issuer='%s'\n", name, confIssuer, iss)
+
+						if confIssuer == iss {
 							requestContext["aws:FederatedProvider"] = name
+							fmt.Printf("DEBUG: MATCH FOUND! aws:FederatedProvider set to: %s\n", name)
 							break
 						}
 					}
 				}
 			}
+
+			fmt.Printf("DEBUG: Final aws:FederatedProvider: %v\n", requestContext["aws:FederatedProvider"])
 		}
 
 		if sub, ok := tokenClaims["sub"].(string); ok {