1. Set the OpenID Configuration Settings You can configure the :abbr:`OIDC (OpenID Connect)` provider using either environment variables *or* server runtime configuration settings. Both methods require starting/restarting the MinIO deployment to apply changes. The following tabs provide a quick reference of all required and optional environment variables and configuration settings respectively: .. tab-set:: .. tab-item:: Environment Variables MinIO supports specifying the :abbr:`OIDC (OpenID Connect)` provider settings using :ref:`environment variables `. The :mc:`minio server` process applies the specified settings on its next startup. For distributed deployments, specify these settings across all nodes in the deployment using the *same* values consistently. The following example code sets *all* environment variables related to configuring an :abbr:`OIDC (OpenID Connect)` provider for external identity management. The minimum *required* variable is :envvar:`MINIO_IDENTITY_OPENID_CONFIG_URL`: .. code-block:: shell :class: copyable export MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration" export MINIO_IDENTITY_OPENID_CLIENT_ID="" export MINIO_IDENTITY_OPENID_CLIENT_SECRET="" export MINIO_IDENTITY_OPENID_CLAIM_NAME="" export MINIO_IDENTITY_OPENID_CLAIM_PREFIX="" export MINIO_IDENTITY_OPENID_SCOPES="" export MINIO_IDENTITY_OPENID_REDIRECT_URI="" export MINIO_IDENTITY_OPENID_COMMENT="" Replace the ``MINIO_IDENTITY_OPENID_CONFIG_URL`` with the URL endpoint of the :abbr:`OIDC (OpenID Connect)` provider discovery document. For complete documentation on these variables, see :ref:`minio-server-envvar-external-identity-management-openid` .. tab-item:: Configuration Settings MinIO supports specifying the :abbr:`OIDC (OpenID Connect)` provider settings using :mc-conf:`configuration settings `. The :mc:`minio server` process applies the specified settings on its next startup. For distributed deployments, the :mc:`mc admin config` command applies the configuration to all nodes in the deployment. The following example code sets *all* configuration settings related to configuring an :abbr:`OIDC (OpenID Connect)` provider for external identity management. The minimum *required* setting is :mc-conf:`identity_openid config_url `: .. code-block:: shell :class: copyable mc admin config set ALIAS/ identity_openid \ config_url="https://openid-provider.example.net/.well-known/openid-configuration" \ client_id="" \ client_secret="" \ claim_name="" \ claim_prefix="" \ scopes="" \ redirect_uri="" Replace the ``config_url`` with the URL endpoint of the :abbr:`OIDC (OpenID Connect)` provider discovery document. For more complete documentation on these settings, see :mc-conf:`identity_openid`. #. Restart the MinIO Deployment You must restart the MinIO deployment to apply the configuration changes. Use the :mc-cmd:`mc admin service restart` command to restart the deployment. .. code-block:: shell :class: copyable mc admin service restart ALIAS Replace ``ALIAS`` with the :ref:`alias ` of the deployment to restart. #. Generate S3-Compatible Temporary Credentials using OIDC Credentials MinIO requires clients authenticate using :s3-api:`AWS Signature Version 4 protocol ` with support for the deprecated Signature Version 2 protocol. Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as ``PUT``, ``GET``, and ``DELETE`` operations. Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the :abbr:`OIDC (OpenID Connect)` provider. The application must provide a workflow for logging into the :abbr:`OIDC (OpenID Connect)` provider and retrieving the JSON Web Token (JWT) associated to the authentication session. Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication. MinIO provides an example Go application :minio-git:`web-identity.go ` with an example of managing this workflow. Once the application retrieves the JWT token, use the ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials: .. code-block:: shell :class: copyable POST https://minio.example.net?Action=AssumeRoleWithWebIdentity &WebIdentityToken=TOKEN &Version=2011-06-15 &DurationSeconds=86400 &Policy=Policy - Replace the ``TOKEN`` with the JWT token returned in the previous step. - Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours. - Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy ` that further restricts the permissions associated to the temporary credentials. Omit to use the policy associated to the OpenID user :ref:`policy claim `. The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO. See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation.