OpenID Connect Access Management
Table of Contents
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities.
For identities managed by the external OpenID Connect (OIDC) compatible provider, MinIO uses the JSON Web Token claim returned as part of the OIDC authentication flow to identify the policies to assign to the authenticated user.
MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Users managed by an OIDC provider must specify the necessary policies as part of the JWT claim. If the user JWT claim has no matching MinIO policies, that user has no permissions to access any action or resource on the MinIO deployment.
The specific claim which MinIO looks for is configured as part of deploying the cluster with OIDC identity management. This page focuses on creating MinIO policies to match the configured OIDC claims.
Identifying the JWT Claim Value
MinIO uses the JWT token returned as part of the OIDC authentication flow to identify the specific policies to assign to the authenticated user.
You can use a JWT Debugging tool to decode the returned JWT token and validate that the user attributes include the required claims.
See RFC 7519: JWT Claim for more information on JWT claims.
Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.
Creating Policies to Match Claims
Use either the MinIO Console or the mc admin policy
command to create policies that match one or more claim values.