Erasure Code Calculator
Reference Hardware
OpenID Identity Management Settings
This page documents settings for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these settings.
You can establish or modify settings by defining:
an environment variable on the host system prior to starting or restarting the MinIO Server. Refer to your operating system’s documentation for how to define an environment variable.
a configuration setting using
mc admin config set.a configuration setting using the MinIO Console’s Administrator > Settings pages.
If you define both an environment variable and the similar configuration setting, MinIO uses the environment variable value.
Some settings have only an environment variable or a configuration setting, but not both.
Important
Each configuration setting controls fundamental MinIO behavior and functionality. MinIO strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.
Examples
MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration"
Use mc admin config set to set or update the OpenID configuration.
The config_url argument is required.
Specify additional optional arguments as a whitespace (" ")-delimited list.
mc admin config set identity_openid \
config_url="https://openid-provider.example.net/.well-known/openid-configuration" \
[ARGUMENT="VALUE"] ...
Settings
Config URL
Required
Specify the URL for the OIDC compatible provider discovery document.
The OIDC Discovery URL typically resembles the following:
https://openid-provider.example.net/.well-known/openid-configuration
Enabled
Optional
This setting does not have an environment variable option. Use the Configuration Setting instead.
Set to false to disable the OpenID configuration.
Applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider if set to false.
Defaults to true or “enabled”.
Client ID
Optional
Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC compatible provider.
Client Secret
Optional
Specify the client secret MinIO uses when authenticating user credentials against the OIDC compatible provider. This field may be optional depending on the provider.
Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.
Role Policy
Optional
This setting is mutually exclusive with the Claim Name setting.
Specify a comma-separated list of policy names to use for the request’s RoleArn for all authentication requests for the provider.
The specified policy or policies must already exist on the MinIO Server.
To use this OIDC configuration, you must specify the corresponding RoleArn in the STS request body.
Claim Name
Optional
This setting is mutually exclusive with the Role Policy setting.
Specify the name of the JWT Claim MinIO uses to identify the policies to attach to the authenticated user.
The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.
Defaults to policy.
Claim Prefix
Optional
Specify the JWT Claim namespace prefix to apply to the specified claim name.
Display Name
Optional
Specify the user-facing name the MinIO Console displays on the login screen.
Scopes
Optional
Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.
Redirect URI
Optional
Important
This parameter was removed in https://github.com/minio/minio/releases/tag/RELEASE.2023-02-27T18-10-45Z.
Use the MINIO_BROWSER_REDIRECT_URL environment variable instead.
The MinIO Console defaults to using the hostname of the node making the authentication request.
For MinIO deployments behind a load balancer or reverse proxy, specify this field to ensure the OIDC provider returns the authentication response to the correct MinIO Console URL.
Include the Console hostname, port, and /oauth_callback:
http://minio.example.net:consoleport/oauth_callback
Ensure you start the MinIO Server with the --console-address option to set a static Console listen port.
The default behavior with that option omitted is to select a random port number at startup.
The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.
Dynamic URI Redirect
Optional
The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.
Specify this option as on to direct the MinIO Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider.
Defaults to off.
User Info
Optional
Allow MinIO to fetch claims from the UserInfo Endpoint for the authenticated user.
Valid values are on or off.
Vendor
Optional
Specify the OIDC Vendor to enable specific supported behaviors for that vendor.
Supports the following value:
keycloak
Keycloak Realm
Optional
This setting requires that the OpenID Vendor setting be defined as keycloak.
Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.
Keycloak Admin URL
Optional
This setting requires that the OpenID Vendor setting be defined as keycloak.
Specify the Keycloak Admin API URL.
MinIO can use this URL if configured to periodically validate authenticated Keycloak users as active/existing.
For example, https://keycloak-endpoint:port/admin/.
Comment
Optional
Specify a comment to associate with the OIDC compatible provider configuration.
