From 974ddfe6811e33733ac8f16010c79753f65c5fb9 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Fri, 2 Jan 2026 20:13:50 -0800
Subject: [PATCH] Fix missing credentials in STSSessionClaims.ToSessionInfo()

---
 weed/iam/sts/session_claims.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/weed/iam/sts/session_claims.go b/weed/iam/sts/session_claims.go
index 8d065efcd..df50aaee5 100644
--- a/weed/iam/sts/session_claims.go
+++ b/weed/iam/sts/session_claims.go
@@ -63,6 +63,16 @@ func (c *STSSessionClaims) ToSessionInfo() *SessionInfo {
 		expiresAt = c.ExpiresAt.Time
 	}
 
+	// Generate temporary credentials from the session ID
+	// This is deterministic based on the session ID, so the same credentials are regenerated
+	credGenerator := NewCredentialGenerator()
+	credentials, err := credGenerator.GenerateTemporaryCredentials(c.SessionId, expiresAt)
+	if err != nil {
+		// If credential generation fails, return session info without credentials
+		// The validation code will catch this as invalid credentials
+		credentials = nil
+	}
+
 	return &SessionInfo{
 		SessionId:        c.SessionId,
 		SessionName:      c.SessionName,
@@ -75,6 +85,7 @@ func (c *STSSessionClaims) ToSessionInfo() *SessionInfo {
 		ExternalUserId:   c.ExternalUserId,
 		ProviderIssuer:   c.ProviderIssuer,
 		RequestContext:   c.RequestContext,
+		Credentials:      credentials,
 	}
 }