DOCS-476: OIDC, Keycloak, Dex, and Policy Variables (#735)

2026-01-04 02:44:36 +03:00 · 2023-03-24 18:39:50 -04:00
parent 12177544ba
commit b32d6167db
21 changed files with 1922 additions and 121 deletions
--- a/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst
+++ b/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst
@@ -80,7 +80,6 @@ MinIO by default assigns no :ref:`policies <minio-policy>` to AD/LDAP users or g
 You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment.

 The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
-See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.

 Use the :mc-cmd:`mc admin policy set` command to assign a user or group DN to an existing MinIO Policy:

--- a/source/includes/k8s/steps-configure-keycloak-identity-management.rst
+++ b/source/includes/k8s/steps-configure-keycloak-identity-management.rst
@@ -0,0 +1,143 @@
+.. |KEYCLOAK_URL| replace:: keycloak-service.keycloak-namespace.svc.cluster-domain.example
+.. |MINIO_S3_URL| replace:: minio.minio-tenant.svc.cluster-domain.example
+.. |MINIO_CONSOLE_URL| replace:: minio-console.minio-tenant.svc.cluster-domain.example
+
+1) Configure or Create a Client for Accessing Keycloak
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Authenticate to the Keycloak :guilabel:`Administrative Console` and navigate to :guilabel:`Clients`.
+
+.. include:: /includes/common/common-configure-keycloak-identity-management.rst
+   :start-after: start-configure-keycloak-client
+   :end-before: end-configure-keycloak-client
+
+2) Create Client Scope for MinIO Client
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Client scopes allow Keycloak to map user attributes as part of the JSON Web Token (JWT) returned in authentication requests.
+This allows MinIO to reference those attributes when assigning policies to the user.
+This step creates the necessary client scope to support MinIO authorization after successful Keycloak authentication.
+
+.. include:: /includes/common/common-configure-keycloak-identity-management.rst
+   :start-after: start-configure-keycloak-client-scope
+   :end-before: end-configure-keycloak-client-scope
+
+3) Apply the Necessary Attribute to Keycloak Users/Groups
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You must assign an attribute named ``policy`` to the Keycloak Users or Groups. 
+Set the value to any :ref:`policy <minio-policy>` on the MinIO deployment.
+
+.. include:: /includes/common/common-configure-keycloak-identity-management.rst
+   :start-after: start-configure-keycloak-user-group-attributes
+   :end-before: end-configure-keycloak-user-group-attributes
+
+4) Configure MinIO for Keycloak Authentication
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+MinIO supports multiple methods for configuring Keycloak authentication:
+
+- Using the MinIO Operator Console
+- Using the MinIO Tenant Console
+- Using a terminal/shell and the :mc:`mc admin idp openid` command
+
+.. tab-set::
+
+   .. tab-item:: MinIO Operator Console
+
+      You can use the MinIO Operator Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.
+      See :ref:`minio-operator-console-connect` for specific instructions.
+
+      Select :guilabel:`Identity Provider` from the left-hand navigation bar, then select :guilabel:`OpenID`.
+      Select :guilabel:`Create Configuration` to create a new configuration.
+
+      Enter the following information into the modal:
+
+      .. list-table::
+         :stub-columns: 1
+         :widths: 30 70
+         :width: 100%
+
+         * - :guilabel:`Name` 
+           - Enter a unique name for the Keycloak instance 
+         
+         * - :guilabel:`Config URL`
+           - Specify the address of the Keycloak OpenID configuration document (|KEYCLOAK_URL|)
+
+             Ensure the ``REALM`` matches the Keycloak realm you want to use for authenticating users to MinIO
+
+         * - :guilabel:`Client ID`
+           - Specify the name of the Keycloak client created in Step 1
+         
+         * - :guilabel:`Client Secret`
+           - Specify the secret credential value for the Keycloak client created in Step 1
+
+         * - :guilabel:`Display Name`
+           - Specify the user-facing name the MinIO Console should display as part of the Single-Sign On (SSO) workflow for the configured Keycloak service
+
+         * - :guilabel:`Scopes` 
+           - Specify the OpenID scopes to include in the JWT, such as ``preferred_username`` or ``email``
+         
+             You can reference these scopes using supported OpenID policy variables for the purpose of programmatic policy configurations
+
+         * - :guilabel:`Redirect URI Dynamic`
+           - Toggle to ``on``
+         
+             Substitutes the MinIO Console address used by the client as part of the Keycloak redirect URI.
+             Keycloak returns authenticated users to the Console using the provided URI.
+             
+             For MinIO Console deployments behind a reverse proxy, load balancer, or similar network control plane, you can instead use the :envvar:`MINIO_BROWSER_REDIRECT_URL` variable to set the redirect address for Keycloak to use.
+
+      Select :guilabel:`Save` to apply the configuration.
+
+   .. tab-item:: MinIO Tenant Console
+
+      You can use the MinIO Tenant Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.
+
+      Access the Console service using the NodePort, Ingress, or Load Balancer endpoint.
+      You can use the following command to review the Console configuration:
+
+      .. code-block:: shell
+         :class: copyable
+
+         kubectl describe svc/TENANT_NAME-console -n TENANT_NAMESPACE
+
+      Replace ``TENANT_NAME`` and ``TENANT_NAMESPACE`` with the name of the MinIO Tenant and it's Namespace, respectively.
+
+      .. include:: /includes/common/common-configure-keycloak-identity-management.rst
+         :start-after: start-configure-keycloak-minio-console
+         :end-before: end-configure-keycloak-minio-console
+
+      Select :guilabel:`Save` to apply the configuration.
+
+   .. tab-item:: CLI
+
+      .. include:: /includes/common/common-configure-keycloak-identity-management.rst
+         :start-after: start-configure-keycloak-minio-cli
+         :end-before: end-configure-keycloak-minio-cli
+
+Restart the MinIO deployment for the changes to apply.
+
+Check the MinIO logs and verify that startup succeeded with no errors related to the OIDC configuration.
+
+If you attempt to log in with the Console, you should now see an (SSO) button using the configured :guilabel:`Display Name`.
+
+Specify a configured user and attempt to log in.
+MinIO should automatically redirect you to the Keycloak login entry.
+Upon successful authentication, Keycloak should redirect you back to the MinIO Console using either the originating Console URL *or* the :guilabel:`Redirect URI` if configured.
+
+5) Generate Application Credentials using the Security Token Service (STS)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+.. include:: /includes/common/common-configure-keycloak-identity-management.rst
+   :start-after: start-configure-keycloak-sts
+   :end-before: end-configure-keycloak-sts
+
+Next Steps
+~~~~~~~~~~
+
+Applications should implement the :ref:`STS AssumeRoleWithWebIdentity <minio-sts-assumerolewithwebidentity>` flow using their :ref:`SDK <minio-drivers>` of choice.
+When STS credentials expire, applications should have logic in place to regenerate the JWT token, STS token, and MinIO credentials before retrying and continuing operations.
+
+Alternatively, users can generate :ref:`access keys <minio-id-access-keys>` through the MinIO Console for the purpose of creating long-lived API-key like access using their Keycloak credentials.
--- a/source/includes/k8s/steps-configure-openid-external-identity-management.rst
+++ b/source/includes/k8s/steps-configure-openid-external-identity-management.rst
@@ -78,7 +78,6 @@ MinIO uses the specified user Claim to identify one or more policies to attach t
 If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant.

 The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
-See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.

 Consider the following example policy that grants general S3 API access on only the ``data`` bucket: