Documentation

OpenID Identity Management Settings

This page documents settings for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these settings.

You can establish or modify settings by defining:

  • an environment variable on the host system prior to starting or restarting the MinIO Server. Refer to your operating system’s documentation for how to define an environment variable.

  • a configuration setting using mc admin config set.

  • a configuration setting using the MinIO Console’s Administrator > Settings pages.

If you define both an environment variable and the similar configuration setting, MinIO uses the environment variable value.

Some settings have only an environment variable or a configuration setting, but not both.

Important

Each configuration setting controls fundamental MinIO behavior and functionality. MinIO strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.

Examples

MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration"
identity_openid

Use mc admin config set to set or update the OpenID configuration. The config_url argument is required. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set identity_openid                                               \
  config_url="https://openid-provider.example.net/.well-known/openid-configuration" \
  [ARGUMENT="VALUE"] ...

Settings

Config URL

Required

MINIO_IDENTITY_OPENID_CONFIG_URL
identity_openid config_url

Specify the URL for the OIDC compatible provider discovery document.

The OIDC Discovery URL typically resembles the following:

https://openid-provider.example.net/.well-known/openid-configuration

Enabled

Optional

This setting does not have an environment variable option. Use the Configuration Setting instead.

identity_openid enabled

Set to false to disable the OpenID configuration.

Applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider if set to false.

Defaults to true or “enabled”.

Client ID

Optional

MINIO_IDENTITY_OPENID_CLIENT_ID
identity_openid client_id

Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC compatible provider.

Client Secret

Optional

MINIO_IDENTITY_OPENID_CLIENT_SECRET
identity_openid client_secret

Specify the client secret MinIO uses when authenticating user credentials against the OIDC compatible provider. This field may be optional depending on the provider.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

Role Policy

Optional

This setting is mutually exclusive with the Claim Name setting.

MINIO_IDENTITY_OPENID_ROLE_POLICY
identity_openid role_policy

Specify a comma-separated list of policy names to use for the request’s RoleArn for all authentication requests for the provider. The specified policy or policies must already exist on the MinIO Server.

To use this OIDC configuration, you must specify the corresponding RoleArn in the STS request body.

Claim Name

Optional

This setting is mutually exclusive with the Role Policy setting.

MINIO_IDENTITY_OPENID_CLAIM_NAME
identity_openid claim_name

Specify the name of the JWT Claim MinIO uses to identify the policies to attach to the authenticated user.

The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.

Defaults to policy.

Claim Prefix

Optional

MINIO_IDENTITY_OPENID_CLAIM_PREFIX
identity_openid claim_prefix

Specify the JWT Claim namespace prefix to apply to the specified claim name.

Display Name

Optional

MINIO_IDENTITY_OPENID_DISPLAY_NAME
identity_openid display_name

Specify the user-facing name the MinIO Console displays on the login screen.

Scopes

Optional

MINIO_IDENTITY_OPENID_SCOPES
identity_openid scopes

Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.

Redirect URI

Optional

MINIO_IDENTITY_OPENID_REDIRECT_URI
identity_openid redirect_uri

The MinIO Console defaults to using the hostname of the node making the authentication request. For MinIO deployments behind a load balancer or reverse proxy, specify this field to ensure the OIDC provider returns the authentication response to the correct MinIO Console URL. Include the Console hostname, port, and /oauth_callback:

http://minio.example.net:consoleport/oauth_callback

Ensure you start the MinIO Server with the --console-address option to set a static Console listen port. The default behavior with that option omitted is to select a random port number at startup.

The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.

Dynamic URI Redirect

Optional

MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC
identity_openid redirect_uri_dynamic

The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.

Specify this option as on to direct the MinIO Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider. Defaults to off.

User Info

Optional

MINIO_IDENTITY_OPENID_CLAIM_USERINFO
identity_openid claim_userinfo

Specify the OpenID User info API endpoint for the OIDC service. For example, https://oidc-endpoint:port/realms/REALM/protocol/openid-connect/userinfo

Some OIDC providers do not provide group information as part of the JWT response after authentication. Specify this URL to direct MinIO to make an additional API call to construct the complete JWT token.

Vendor

Optional

MINIO_IDENTITY_OPENID_VENDOR
identity_openid vendor

Specify the OIDC Vendor to enable specific supported behaviors for that vendor.

Supports the following value:

  • keycloak

Keycloak Realm

Optional

This setting requires that the OpenID Vendor setting be defined as keycloak.

MINIO_IDENTITY_OPENID_KEYCLOAK_REALM
identity_openid keycloak_realm

Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.

Keycloak Admin URL

Optional

This setting requires that the OpenID Vendor setting be defined as keycloak.

MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL
identity_openid keycloak_admin_url

Specify the Keycloak Admin API URL. MinIO can use this URL if configured to periodically validate authenticated Keycloak users as active/existing. For example, https://keycloak-endpoint:port/admin/.

Comment

Optional

MINIO_IDENTITY_OPENID_COMMENT
identity_openid comment

Specify a comment to associate with the OIDC compatible provider configuration.