Search code examples
keycloakminio

how to properly configure sso via keycloak in minio?

I entered the following data, but after applying these settings, the input is not carried out, several questions arise. during authorization, the user returns to the page with minio and so on indefinitely

MINIO_IDENTITY_OPENID_CONFIG_URL=https://test.local.ru/.well-known/openid-configuration
MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
MINIO_IDENTITY_OPENID_CLIENT_ID="292085223830"
MINIO_IDENTITY_OPENID_CLIENT_SECRET="12344556"
MINIO_IDENTITY_OPENID_SCOPES=openid
MINIO_IDENTITY_OPENID_REDIRECT_URI_DYNAMIC==https://minio.local.ru/*
  1. how do I even understand why it brings me back to the page? are there any logs, I don't understand how to debug
  2. do I still need to have policies and users that are in sso? if you start, then you need to specify the access key. It is unclear why authorization is needed then. if you still get the keys to enter.
  3. is it possible to enable both OpenID and standard authorization at the same time?
Solution

  • I finally figured out this problem

    you need to go to the rules section in your keycloak sso client to create a role with a name equal to the policy from the minio: for example role name

    consoleAdmin or readonly

    in addition to the name, you do not need to fill in any attributes in the role, do not put it as a composite after adding the role, we need to perform two steps

    1. create a claim name (the name can be any), for example, minio-roles mapper type - user client role claim json - string client id - the name of your sso client token claim name - minio-roles
    2. then it remains to assign this role to users in the users section user - role mapping - client roles ( select client name SSO) - select the right role for this user