storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/docs/sts/keycloak.md

storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/docs/sts/keycloak.md (about)

     1  # Keycloak Quickstart Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
     2  
     3  Keycloak is an open source Identity and Access Management solution aimed at modern applications and services, this document covers configuring Keycloak identity provider support with MinIO.
     4  
     5  ## Prerequisites
     6  
     7  Configure and install keycloak server by following [Keycloak Installation Guide](https://www.keycloak.org/docs/latest/getting_started/index.html) (finish upto section 3.4)
     8  
     9  ### Configure Keycloak UI
    10  - Go to Clients
    11    - Click on account
    12    - Settings
    13    - Enable `Implicit Flow`
    14    - Save
    15  
    16  - Go to Users
    17    - Click on the user
    18    - Attribute, add a new attribute `Key` is `policy`, `Value` is name of the `policy` on MinIO (ex: `readwrite`)
    19    - Add and Save
    20  
    21  - Go to Clients
    22    - Click on `account`
    23    - Settings, set `Valid Redirect URIs` to `*`, expand `Advanced Settings` and set `Access Token Lifespan` to `1 Hours`
    24    - Save
    25  
    26  - Go to Clients
    27    - Client on `account`
    28    - Mappers
    29    - Create
    30      - `Name` with any text
    31      - `Mapper Type` is `User Attribute`
    32      - `User Attribute` is `policy`
    33      - `Token Claim Name` is `policy`
    34      - `Claim JSON Type` is `string`
    35    - Save
    36  
    37  - Open http://localhost:8080/auth/realms/minio/.well-known/openid-configuration to verify OpenID discovery document, verify it has `authorization_endpoint` and `jwks_uri`
    38  
    39  ### Configure MinIO
    40  ```
    41  $ export MINIO_ROOT_USER=minio
    42  $ export MINIO_ROOT_PASSWORD=minio123
    43  $ minio server /mnt/export
    44  ```
    45  
    46  Here are all the available options to configure OpenID connect
    47  ```
    48  mc admin config set myminio/ identity_openid
    49  
    50  KEY:
    51  identity_openid  enable OpenID SSO support
    52  
    53  ARGS:
    54  config_url*   (url)       openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"
    55  client_id     (string)    unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"
    56  claim_name    (string)    JWT canned policy claim name, defaults to "policy"
    57  claim_prefix  (string)    JWT claim namespace prefix e.g. "customer1/"
    58  scopes        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
    59  comment       (sentence)  optionally add a comment to this setting
    60  ```
    61  
    62  and ENV based options
    63  ```
    64  mc admin config set myminio/ identity_openid --env
    65  
    66  KEY:
    67  identity_openid  enable OpenID SSO support
    68  
    69  ARGS:
    70  MINIO_IDENTITY_OPENID_CONFIG_URL*   (url)       openid discovery document e.g. "https://accounts.google.com/.well-known/openid-configuration"
    71  MINIO_IDENTITY_OPENID_CLIENT_ID     (string)    unique public identifier for apps e.g. "292085223830.apps.googleusercontent.com"
    72  MINIO_IDENTITY_OPENID_CLAIM_NAME    (string)    JWT canned policy claim name, defaults to "policy"
    73  MINIO_IDENTITY_OPENID_CLAIM_PREFIX  (string)    JWT claim namespace prefix e.g. "customer1/"
    74  MINIO_IDENTITY_OPENID_SCOPES        (csv)       Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
    75  MINIO_IDENTITY_OPENID_COMMENT       (sentence)  optionally add a comment to this setting
    76  ```
    77  
    78  Set `identity_openid` config with `config_url`, `client_id` and restart MinIO
    79  ```
    80  ~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/minio/.well-known/openid-configuration" client_id="account"
    81  ```
    82  > NOTE: You can configure the `scopes` parameter to restrict the OpenID scopes requested by minio to the IdP, for example, `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak
    83  
    84  Once successfully set restart the MinIO instance.
    85  ```
    86  mc admin service restart myminio
    87  ```
    88  
    89  ### Using WebIdentiy API
    90  Client ID can be found by clicking any of the clients listed [here](http://localhost:8080/auth/admin/master/console/#/realms/minio/clients). If you have followed the above steps docs, the default Client ID will be `account`.
    91  
    92  ```
    93  $ go run docs/sts/web-identity.go -cid account -csec 072e7f00-4289-469c-9ab2-bbe843c7f5a8  -config-ep "http://localhost:8080/auth/realms/minio/.well-known/openid-configuration" -port 8888
    94  2018/12/26 17:49:36 listening on http://localhost:8888/
    95  ```
    96  
    97  This will open the login page of keycloak, upon successful login, STS credentials along with any buckets discovered using the credentials will be printed on the screen, for example:
    98  
    99  ```
   100  {
   101    "buckets": [
   102      "bucket-x"
   103    ],
   104    "credentials": {
   105      "AccessKeyID": "6N2BALX7ELO827DXS3GK",
   106      "SecretAccessKey": "23JKqAD+um8ObHqzfIh+bfqwG9V8qs9tFY6MqeFR+xxx",
   107      "SessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI2TjJCQUxYN0VMTzgyN0RYUzNHSyIsImFjciI6IjAiLCJhdWQiOiJhY2NvdW50IiwiYXV0aF90aW1lIjoxNTY5OTEwNTUyLCJhenAiOiJhY2NvdW50IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE1Njk5MTQ1NTQsImlhdCI6MTU2OTkxMDk1NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL2F1dGgvcmVhbG1zL2RlbW8iLCJqdGkiOiJkOTk4YTBlZS01NDk2LTQ4OWYtYWJlMi00ZWE5MjJiZDlhYWYiLCJuYmYiOjAsInBvbGljeSI6InJlYWR3cml0ZSIsInByZWZlcnJlZF91c2VybmFtZSI6Im5ld3VzZXIxIiwic2Vzc2lvbl9zdGF0ZSI6IjJiYTAyYTI2LWE5MTUtNDUxNC04M2M1LWE0YjgwYjc4ZTgxNyIsInN1YiI6IjY4ZmMzODVhLTA5MjItNGQyMS04N2U5LTZkZTdhYjA3Njc2NSIsInR5cCI6IklEIn0._UG_-ZHgwdRnsp0gFdwChb7VlbPs-Gr_RNUz9EV7TggCD59qjCFAKjNrVHfOSVkKvYEMe0PvwfRKjnJl3A_mBA"",
   108      "SignerType": 1
   109    }
   110  }
   111  ```
   112  
   113  > NOTE: You can use the `-cscopes` parameter to restrict the requested scopes, for example to `"openid,policy_role_attribute"`, being `policy_role_attribute` a client_scope / client_mapper that maps a role attribute called policy to a `policy` claim returned by Keycloak.
   114  
   115  These credentials can now be used to perform MinIO API operations.
   116  
   117  ### Using MinIO Browser
   118  
   119  - Open MinIO URL on the browser, lets say http://localhost:9000
   120  - Click on `Log in with OpenID`
   121  - Provide `Client ID` and press ENTER, if `client_id` is already configured for MinIO this page will automatically redirect to Keycloak user login page.
   122  - User will be redirected to the Keycloak user login page, upon successful login the user will be redirected to MinIO page and logged in automatically,
   123    the user should see now the buckets and objects they have access to.
   124  
   125  ## Explore Further
   126  
   127  - [MinIO STS Quickstart Guide](https://docs.min.io/docs/minio-sts-quickstart-guide)
   128  - [The MinIO documentation website](https://docs.min.io)