diff --git a/website/integrations/services/minio/index.md b/website/integrations/services/minio/index.md index f2ea992172..660063238c 100644 --- a/website/integrations/services/minio/index.md +++ b/website/integrations/services/minio/index.md @@ -21,7 +21,7 @@ The following placeholders will be used: The primary way to manage access in MinIO is via [policies](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#minio-policy). We need to configure authentik to return a list of which MinIO policies should be applied to a user. -Under _Customization_ -> _Property Mappings_, create a _Scope Mapping_. Give it a name like "OIDC-Scope-minio". Set the scope name to `minio` and the expression to the following +Create a Scope Mapping: in the authentik Admin interface, navigate to **Customization -> Property Mappings**, click **Create**, and then select **Scope Mapping**. Give the property mapping a name like "OIDC-Scope-minio". Set the scope name to `minio` and the **Expression** to the following: ```python return { @@ -29,7 +29,7 @@ return { } ``` -This mapping will result in the default MinIO `readwrite` policy being applied to all users. If you want to create a more granular mapping based on authentik groups, use an expression like this +This mapping applies the default MinIO `readwrite` policy to all users. If you want to create a more granular mapping based on authentik groups, use an expression like this: ```python if ak_is_group_member(request.user, name="Minio admins"): @@ -47,22 +47,45 @@ Note that you can assign multiple policies to a user by returning a list, and re ### Creating application and provider -Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters: +Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters: - Client Type: `Confidential` -- Scopes: OpenID, Email, Profile and the scope you created above +- Scopes: OpenID, Email, Profile, and the scope you created above - Signing Key: Select any available key - Redirect URIs: `https://minio.company/oauth_callback` +Set the scope of the MinIO scope mapping that you created in the provider (previous step) in the **Advanced** area under **Protocol Settings -> Scopes**. + Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created. -## MinIO +## MinIO configuration + +You can set up OpenID in two different ways: via the web interface or the command line. + +### Web Interface + +From the sidebar of the main page, go to **Identity -> OpenID**, click **Create**, and then define the configuration as follows: + +- Name: MinIO +- Config URL: `https://minio.company/application/o//.well-known/openid-configuration` +- Client ID: Your client ID from the previous step +- Client Secret: Your client secret from the previous step +- Scopes: `openid, email, profile, minio` +- Redirect URI: `https://minio.company/oauth_callback` + +Finally, click **Save** and follow the instructions in the popup to restart your instance. + +### Command Line + +You must install the MinIO binaries from [here](https://min.io/docs/minio/linux/reference/minio-mc.html). You then need to create an alias for your instance using: `mc alias set myminio https://minio.company `. You can follow [this StackOverflow answer](https://stackoverflow.com/a/77645374) to create a secret key and access key. + +After that is done, run the following command to configure the OpenID provider: ``` ~ mc admin config set myminio identity_openid \ - config_url="https://authentik.company/application/o//.well-known/openid-configuration" \ - client_id="" \ - client_secret="" \ + config_url="https://authentik.company/application/o//.well-known/openid-configuration" \ + client_id="" \ + client_secret="" \ scopes="openid,profile,email,minio" ```