OpenID Identity Management Settings — MinIO Object Storage for Linux (original) (raw)
This page documents settings for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these settings.
If you define both an environment variable and the similar configuration setting, MinIO uses the environment variable value.
Some settings have only an environment variable or a configuration setting, but not both.
Settings
Config URL
Required
Environment Variable
MINIO_IDENTITY_OPENID_CONFIG_URL
Configuration Setting
Specify the URL for the OIDC compatible providerdiscovery document.
The OIDC Discovery URL typically resembles the following:
https://openid-provider.example.net/.well-known/openid-configuration
Enabled
Optional
Environment Variable
This setting does not have an environment variable option. Use the Configuration Setting instead.
Configuration Setting
Set to false to disable the OpenID configuration.
Applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider if set to false.
Defaults to true or “enabled”.
Client ID
Optional
Environment Variable
MINIO_IDENTITY_OPENID_CLIENT_ID
Configuration Setting
Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC compatible provider.
Client Secret
Optional
Environment Variable
MINIO_IDENTITY_OPENID_CLIENT_SECRET
Configuration Setting
Specify the client secret MinIO uses when authenticating user credentials against the OIDC compatible provider. This field may be optional depending on the provider.
Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.
Role Policy
Optional
This setting is mutually exclusive with the Claim Name setting.
Environment Variable
MINIO_IDENTITY_OPENID_ROLE_POLICY
Configuration Setting
Specify a comma-separated list of policy names to use for the request’s RoleArn for all authentication requests for the provider. The specified policy or policies must already exist on the MinIO Server.
To use this OIDC configuration, you must specify the corresponding RoleArn in the STS request body.
Claim Name
Optional
This setting is mutually exclusive with the Role Policy setting.
Environment Variable
MINIO_IDENTITY_OPENID_CLAIM_NAME
Configuration Setting
Specify the name of theJWT ClaimMinIO uses to identify the policies to attach to the authenticated user.
The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.
Defaults to policy.
Claim Prefix
Optional
This setting is deprecated and has been removed as of RELEASE.2024-07-13T01-46-15Z. Use MINIO_IDENTITY_OPENID_CLAIM_NAME instead.
Environment Variable
MINIO_IDENTITY_OPENID_CLAIM_PREFIX
Configuration Setting
Specify theJWT Claimnamespace prefix to apply to the specified claim name.
Display Name
Optional
Environment Variable
MINIO_IDENTITY_OPENID_DISPLAY_NAME
Configuration Setting
Specify the user-facing name the MinIO Console displays on the login screen.
Scopes
Optional
Environment Variable
Configuration Setting
Specify a comma-separated list ofscopes. Defaults to those scopes advertised in the discovery document.
Redirect URI
Optional
This setting is deprecated and has been removed as of RELEASE.2024-07-13T01-46-15Z. Use MINIO_BROWSER_REDIRECT_URL instead.
Environment Variable
MINIO_IDENTITY_OPENID_REDIRECT_URI
Configuration Setting
The MinIO Console defaults to using the hostname of the node making the authentication request. For MinIO deployments behind a load balancer or reverse proxy, specify this field to ensure the OIDC provider returns the authentication response to the correct MinIO Console URL. Include the Console hostname, port, and /oauth_callback:
http://minio.example.net:consoleport/oauth_callback
Ensure you start the MinIO Server with the --console-address option to set a static Console listen port. The default behavior with that option omitted is to select a random port number at startup.
The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.
Dynamic URI Redirect
Optional
Environment Variable
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC
Configuration Setting
identity_openid redirect_uri_dynamic
The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.
Specify this option as on to direct the MinIO Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider. Defaults to off.
User Info
Optional
Environment Variable
MINIO_IDENTITY_OPENID_CLAIM_USERINFO
Configuration Setting
identity_openid claim_userinfo
Allow MinIO to fetch claims from the UserInfo Endpoint for the authenticated user.
Valid values are on or off.
Vendor
Optional
Environment Variable
Configuration Setting
Specify the OIDC Vendor to enable specific supported behaviors for that vendor.
Supports the following value:
keycloak
Keycloak Realm
Optional
This setting requires that the OpenID Vendor setting be defined as keycloak.
Environment Variable
MINIO_IDENTITY_OPENID_KEYCLOAK_REALM
Configuration Setting
identity_openid keycloak_realm
Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.
Keycloak Admin URL
Optional
This setting requires that the OpenID Vendor setting be defined as keycloak.
Environment Variable
MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL
Configuration Setting
identity_openid keycloak_admin_url
Specify the Keycloak Admin API URL. MinIO can use this URL if configured to periodically validate authenticated Keycloak users as active/existing. For example, https://keycloak-endpoint:port/admin/.