OpenID Settings

This page documents settings for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these settings.

You can establish or modify settings by defining:

• an environment variable on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable.
• a configuration setting using mc admin config set.

If you define both an environment variable and the similar configuration setting, AIStor uses the environment variable value.

Some settings have only an environment variable or a configuration setting, but not both.

MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration"

mc admin config set identity_openid                                               \
  config_url="https://openid-provider.example.net/.well-known/openid-configuration" \
  [ARGUMENT="VALUE"] ...

Required

Specify the URL for the compatible provider discovery document.

The Discovery URL typically resembles the following:

https://openid-provider.example.net/.well-known/openid-configuration`

Optional

Set to false to disable the OpenID configuration. Applications cannot generate STS credentials or otherwise authenticate to AIStor using the configured provider if set to false. Defaults to true or “enabled”.

Optional

Specify the unique public identifier AIStor uses when authenticating user credentials against the compatible provider.

Optional

Specify the client secret AIStor uses when authenticating user credentials against the compatible provider. This field may be optional depending on the provider.

AIStor redacts this value when returned as part of mc admin config get.

Optional

Specify a comma-separated list of policy names to use for the request’s RoleArn for all authentication requests for the provider. The specified policy or policies must already exist on the AIStor Server. To use this OIDC configuration, you must specify the corresponding RoleArn in the STS request body.

Optional

Specify the name of the JWT Claim AIStor uses to identify the policies to attach to the authenticated user. The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the AIStor server. Defaults to policy.

Optional

Specify the JWT Claim namespace prefix to apply to the specified claim name.

Optional

Specify the user-facing name the AIStor Console displays on the login screen.

Optional

Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.

Optional

The AIStor Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For AIStor deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different AIStor Node than the originating client.

Specify this option as on to direct the AIStor Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider. Defaults to off.

Optional

Allow AIStor to fetch claims from the UserInfo Endpoint for the authenticated user.

Valid values are on or off.

Optional

Specify the OIDC Vendor to enable specific supported behaviors for that vendor.

Supports the following value:

• keycloak

Optional

Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.

Optional

Specify the Keycloak Admin API URL. AIStor can use this URL if configured to periodically validate authenticated Keycloak users as active/existing. For example, https://keycloak-endpoint:port/admin/.

Optional

Specify a comment to associate with the compatible provider configuration.