OpenID Connect Access Management

MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities.

For identities managed by the external OpenID Connect (OIDC) compatible provider, MinIO uses the JSON Web Token claim returned as part of the OIDC authentication flow to identify the policies to assign to the authenticated user.

MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Users managed by an OIDC provider must specify the necessary policies as part of the JWT claim. If the user JWT claim has no matching MinIO policies, that user has no permissions to access any action or resource on the MinIO deployment.

The specific claim which MinIO looks for is configured as part of deploying the cluster with OIDC identity management. This page focuses on creating MinIO policies to match the configured OIDC claims.

Authentication and Authorization Flow

The login flow for an application using OIDC credentials is as follows:

  1. Authenticate to the configured OIDC provider and retrieve a JSON Web Token (JWT).

    MinIO only supports the OpenID Authorization Code Flow. Authentication using Implicit Flow is not supported.

  2. Specify the JWT to the MinIO Security Token Service (STS) AssumeRoleWithWebIdentity API endpoint.

    MinIO verifies the JWT against the configured OIDC provider.

    If the JWT is valid, MinIO checks for a claim specifying a list of one or more policies to assign to the authenticated user. MinIO defaults to checking the policy claim.

  3. MinIO returns temporary credentials in the STS API response in the form of an access key, secret key, and session token. The credentials have permissions matching those policies specified in the JWT claim.

  4. Applications use the temporary credentials returned by the STS endpoint to perform authenticated S3 operations on MinIO.

MinIO provides an example Go application web-identity.go that handles the full login flow.

OIDC users can alternatively create access keys. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the access keys. To create a new access key, log into the MinIO Console using the OIDC-managed user credentials. From the Identity section of the left navigation, select Access Keys followed by the Create access keys + button.

Identifying the JWT Claim Value

MinIO uses the JWT token returned as part of the OIDC authentication flow to identify the specific policies to assign to the authenticated user.

You can use a JWT Debugging tool to decode the returned JWT token and validate that the user attributes include the required claims.

See RFC 7519: JWT Claim for more information on JWT claims.

Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.

Creating Policies to Match Claims

Use either the MinIO Console or the mc admin policy command to create policies that match one or more claim values.

OIDC Policy Variables

The following table contains a list of supported policy variables for use in authorizing OIDC-managed users.

Each variable corresponds to a claim returned as part of the authenticated user’s JWT token:




Returns the sub claim for the user.


Returns the Issuer Identifier claim from the ID token.


Returns the Audience claim from the ID token.


Returns the JWT ID claim from the client authentication information.


Returns the User Principal Name claim from the client authentication information.


Returns the name claim for the user.


Returns the groups claim for the user.


Returns the given_name claim for the user.


Returns the family_name claim for the user.


Returns the middle_name claim for the user.


Returns the nickname claim for the user.


Returns the preferred_username claim for the user.


Returns the profile claim for the user.


Returns the picture claim for the user.


Returns the website claim for the user.


Returns the email claim for the user.


Returns the gender claim for the user.


Returns the birthdate claim for the user.


Returns the phone_number claim for the user.


Returns the address claim for the user.


Returns the scope claim for the user.


Returns the client_id claim for the user.

See the OpenID Connect Core 1.0 document for more information on these scopes. Your OIDC provider of choice may have more specific documentation.

For example, the following policy uses variables to substitute the authenticated user’s PreferredUsername as part of the Resource field such that the user can only access those prefixes which match their username:

"Version": "2012-10-17",
"Statement": [
         "Action": ["s3:ListBucket"],
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket"],
         "Condition": {"StringLike": {"s3:prefix": ["${jwt:PreferredUsername}/*"]}}
         "Action": [
         "Effect": "Allow",
         "Resource": ["arn:aws:s3:::mybucket/${jwt:PreferredUsername}/*"]

MinIO replaces the ${jwt:PreferredUsername} variable in the Resource field with the value of the PreferredUsername in the JWT token. MinIO then evaluates the policy and grants or revokes access to the requested API and resource.

Join Slack 商业支持购买咨询