OpenID Identity Management Settings

This page documents settings for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these settings.

You can establish or modify settings by defining:

  • an environment variable on the host system prior to starting or restarting the MinIO Server. Refer to your operating system’s documentation for how to define an environment variable.

  • a configuration setting using mc admin config set.

  • a configuration setting using the MinIO Console’s Administrator > Settings pages.

If you define both an environment variable and the similar configuration setting, MinIO uses the environment variable value.

Some settings have only an environment variable or a configuration setting, but not both.


Each configuration setting controls fundamental MinIO behavior and functionality. MinIO strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.



Use mc admin config set to set or update the OpenID configuration. The config_url argument is required. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set identity_openid                                               \
  config_url="" \


Config URL


identity_openid config_url

Specify the URL for the OIDC compatible provider discovery document.

The OIDC Discovery URL typically resembles the following:



This setting does not have an environment variable option. Use the Configuration Setting instead.

identity_openid enabled

Set to false to disable the OpenID configuration.

Applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider if set to false.

Defaults to true or “enabled”.

Client ID


identity_openid client_id

Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC compatible provider.

Client Secret


identity_openid client_secret

Specify the client secret MinIO uses when authenticating user credentials against the OIDC compatible provider. This field may be optional depending on the provider.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

Role Policy


This setting is mutually exclusive with the Claim Name setting.

identity_openid role_policy

Specify a comma-separated list of policy names to use for the request’s RoleArn for all authentication requests for the provider. The specified policy or policies must already exist on the MinIO Server.

To use this OIDC configuration, you must specify the corresponding RoleArn in the STS request body.

Claim Name


This setting is mutually exclusive with the Role Policy setting.

identity_openid claim_name

Specify the name of the JWT Claim MinIO uses to identify the policies to attach to the authenticated user.

The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.

Defaults to policy.

Claim Prefix


identity_openid claim_prefix

Specify the JWT Claim namespace prefix to apply to the specified claim name.

Display Name


identity_openid display_name

Specify the user-facing name the MinIO Console displays on the login screen.



identity_openid scopes

Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.

Redirect URI


identity_openid redirect_uri


This parameter was removed in RELEASE.2023-02-27T18-10-45Z. Use the MINIO_BROWSER_REDIRECT_URL environment variable instead.

The MinIO Console defaults to using the hostname of the node making the authentication request. For MinIO deployments behind a load balancer or reverse proxy, specify this field to ensure the OIDC provider returns the authentication response to the correct MinIO Console URL. Include the Console hostname, port, and /oauth_callback:

Ensure you start the MinIO Server with the --console-address option to set a static Console listen port. The default behavior with that option omitted is to select a random port number at startup.

The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.

Dynamic URI Redirect


identity_openid redirect_uri_dynamic

The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.

Specify this option as on to direct the MinIO Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider. Defaults to off.

User Info


identity_openid claim_userinfo

Allow MinIO to fetch claims from the UserInfo Endpoint for the authenticated user.

Valid values are on or off.



identity_openid vendor

Specify the OIDC Vendor to enable specific supported behaviors for that vendor.

Supports the following value:

  • keycloak

Keycloak Realm


This setting requires that the OpenID Vendor setting be defined as keycloak.

identity_openid keycloak_realm

Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.

Keycloak Admin URL


This setting requires that the OpenID Vendor setting be defined as keycloak.

identity_openid keycloak_admin_url

Specify the Keycloak Admin API URL. MinIO can use this URL if configured to periodically validate authenticated Keycloak users as active/existing. For example, https://keycloak-endpoint:port/admin/.



identity_openid comment

Specify a comment to associate with the OIDC compatible provider configuration.