minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-31 18:04:52 +03:00
Code Activity
Files
master
docs/source/security/openid-external-identity-management/external-authentication-with-openid-identity-provider.rst
Daryl White 7d34eab0eb Clarifying how to use groups with OIDC
2022-05-25 10:51:44 -05:00

6.6 KiB
Raw Permalink Blame History

OpenID External Identity Management

minio

Table of Contents

Overview

MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities. Configuring an external IDP (IDentity Provider) enables Single-Sign On workflows, where applications authenticate against the external IDP (IDentity Provider) before accessing MinIO.

MinIO by default denies access to all actions or resources not explicitly allowed by a user's assigned or inherited policies <minio-policy>. Users managed by an OIDC provider must specify the necessary policies as part of the user profile data. See Access Control for OIDC Managed Identities <minio-external-identity-management-openid-access-control> for more information.

See minio-authenticate-using-openid-generic for instructions on enabling external identity management using an OIDC (OpenID Connect) compatible service.

MinIO Supports At Most One Configured IDentity Provider

Configuring an external IDP disables the MinIO internal IDP <minio-internal-idp> and prevents the configuration of any other external IDP.

The external IDP (IDentity Provider) must have at least one configured user identity with the required policy claims <minio-external-identity-management-openid-access-control>. If no such user exists, the MinIO server is effectively inaccessible outside of using the root <minio-users-root> user.

Authentication and Authorization Flow

The login flow for an application using OIDC (OpenID Connect) credentials is as follows:

  1. Authenticate to the configured OIDC (OpenID Connect) provider and retrieve a JSON Web Token (JWT).

    MinIO only supports the OpenID Authorization Code Flow. Authentication using Implicit Flow is not supported.

  2. Specify the JWT (JSON Web Token) to the MinIO Security Token Service (STS) minio-sts-assumerolewithwebidentity API endpoint.

    MinIO verifies the JWT (JSON Web Token) against the configured OIDC provider.

    If the JWT is valid, MinIO checks for a claim <minio-external-identity-management-openid-access-control> specifying a list of one or more policies <minio-policy> to assign to the authenticated user. MinIO defaults to checking the policy claim.

  3. MinIO returns temporary credentials in the STS API response in the form of an access key, secret key, and session token. The credentials have permissions matching those policies specified in the JWT claim.

  4. Applications use the temporary credentials returned by the STS endpoint to perform authenticated S3 operations on MinIO.

MinIO provides an example Go application web-identity.go <minio/blob/master/docs/sts/web-identity.go> that handles the full login flow.

OIDC users can alternatively create service accounts <minio-idp-service-account> associated to their AD/LDAP user. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. To create a new service account, log into the MinIO Console <minio-console> using the OIDC-managed user credentials. From the Identity section of the left navigation, select Service Accounts followed by the Create service account + button.

Access Control for Externally Managed Identities

MinIO uses Policy Based Access Control (PBAC) <minio-access-management> to define the actions and resources to which an authenticated user has access. MinIO supports creating and managing policies <minio-policy> which an externally managed user can claim.

For identities managed by the external OpenID Connect (OIDC) compatible provider, MinIO uses a JSON Web Token claim to identify the policy <minio-policy> to assign to the authenticated user.

MinIO by default looks for a policy claim and reads a list of one or more policies to assign. MinIO attempts to match existing policies to those specified in the JWT claim. If none of the specified policies exist on the MinIO deployment, MinIO denies authorization for any and all operations issued by that user. For example, consider a claim with the following key-value assignment:

policy="readwrite_data,read_analytics,read_logs"

The specified policy claim directs MinIO to attach the policies with names matching readwrite_data, read_analytics, and read_logs to the authenticated user.

You can set a custom policy claim using the MINIO_IDENTITY_OPENID_CLAIM_NAME environment variable or by using mc admin config set to set the identity_openid claim_name <identity_openid.claim_name> setting.

You can use a JWT Debugging tool to decode the returned JWT token and validate that the user attributes include the required claims. See RFC 7519: JWT Claim for more information on JWT claims. Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.

MinIO provides built-in policies <minio-policy-built-in> for basic access control. You can create new policies using the mc admin policy command, or by using the MinIO Console.

MinIO does not support using MinIO groups <minio-groups> with OIDC (OpenID Connect). Instead, an OIDC (OpenID Connect) administrator can use the configured OIDC claim to list multiple, comma-separated MinIO policies <minio-policy> to assign to the user. The OIDC administrator can create a type of "group" assignment managed entirely within OIDC (OpenID Connect). For example, 'policy[,policy]'.

/security/openid-external-identity-management/configure-openid-external-identity-management /security/openid-external-identity-management/AssumeRoleWithWebIdentity