Keycloak Quickstart Guide 
Keycloak is an open source Identity and Access Management solution aimed at modern applications and services, this document covers configuring Keycloak identity provider support with MinIO.
Configure and install keycloak server by following Keycloak Installation Guide (finish upto section 3.4)
Configure Keycloak UI
Go to Clients
- Click on account
- Settings
- Enable
Implicit Flow
- Save
Go to Users
- Click on the user
- Attribute, add a new attribute
is name of thepolicy
on MinIO (ex:readwrite
) - Add and Save
Go to Clients
- Click on
- Settings, set
Valid Redirect URIs
, expandAdvanced Settings
and setAccess Token Lifespan
to1 Hours
- Save
- Click on
Go to Clients
- Client on
- Mappers
- Create
with any textMapper Type
isUser Attribute
User Attribute
Token Claim Name
Claim JSON Type
- Save
- Client on
Open http://localhost:8080/auth/realms/minio/.well-known/openid-configuration to verify OpenID discovery document, verify it has
Configure MinIO
$ export MINIO_ROOT_USER=minio
$ export MINIO_ROOT_PASSWORD=minio123
$ minio server /mnt/export
Here are all the available options to configure OpenID connect
mc admin config set myminio/ identity_openid
identity_openid enable OpenID SSO support
config_url* (url) openid discovery document e.g. ""
client_id (string) unique public identifier for apps e.g. ""
claim_name (string) JWT canned policy claim name, defaults to "policy"
claim_prefix (string) JWT claim namespace prefix e.g. "customer1/"
scopes (csv) Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
comment (sentence) optionally add a comment to this setting
and ENV based options
mc admin config set myminio/ identity_openid --env
identity_openid enable OpenID SSO support
MINIO_IDENTITY_OPENID_CONFIG_URL* (url) openid discovery document e.g. ""
MINIO_IDENTITY_OPENID_CLIENT_ID (string) unique public identifier for apps e.g. ""
MINIO_IDENTITY_OPENID_CLAIM_NAME (string) JWT canned policy claim name, defaults to "policy"
MINIO_IDENTITY_OPENID_CLAIM_PREFIX (string) JWT claim namespace prefix e.g. "customer1/"
MINIO_IDENTITY_OPENID_SCOPES (csv) Comma separated list of OpenID scopes for server, defaults to advertised scopes from discovery document e.g. "email,admin"
MINIO_IDENTITY_OPENID_COMMENT (sentence) optionally add a comment to this setting
Set identity_openid
config with config_url
, client_id
and restart MinIO
~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/minio/.well-known/openid-configuration" client_id="account"
NOTE: You can configure the
parameter to restrict the OpenID scopes requested by minio to the IdP, for example,"openid,policy_role_attribute"
, beingpolicy_role_attribute
a client_scope / client_mapper that maps a role attribute called policy to apolicy
claim returned by Keycloak
Once successfully set restart the MinIO instance.
mc admin service restart myminio
Using WebIdentiy API
Client ID can be found by clicking any of the clients listed here. If you have followed the above steps docs, the default Client ID will be account
$ go run docs/sts/web-identity.go -cid account -csec 072e7f00-4289-469c-9ab2-bbe843c7f5a8 -config-ep "http://localhost:8080/auth/realms/minio/.well-known/openid-configuration" -port 8888
2018/12/26 17:49:36 listening on http://localhost:8888/
This will open the login page of keycloak, upon successful login, STS credentials along with any buckets discovered using the credentials will be printed on the screen, for example:
"buckets": [
"credentials": {
"AccessKeyID": "6N2BALX7ELO827DXS3GK",
"SecretAccessKey": "23JKqAD+um8ObHqzfIh+bfqwG9V8qs9tFY6MqeFR+xxx",
"SessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI2TjJCQUxYN0VMTzgyN0RYUzNHSyIsImFjciI6IjAiLCJhdWQiOiJhY2NvdW50IiwiYXV0aF90aW1lIjoxNTY5OTEwNTUyLCJhenAiOiJhY2NvdW50IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE1Njk5MTQ1NTQsImlhdCI6MTU2OTkxMDk1NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL2F1dGgvcmVhbG1zL2RlbW8iLCJqdGkiOiJkOTk4YTBlZS01NDk2LTQ4OWYtYWJlMi00ZWE5MjJiZDlhYWYiLCJuYmYiOjAsInBvbGljeSI6InJlYWR3cml0ZSIsInByZWZlcnJlZF91c2VybmFtZSI6Im5ld3VzZXIxIiwic2Vzc2lvbl9zdGF0ZSI6IjJiYTAyYTI2LWE5MTUtNDUxNC04M2M1LWE0YjgwYjc4ZTgxNyIsInN1YiI6IjY4ZmMzODVhLTA5MjItNGQyMS04N2U5LTZkZTdhYjA3Njc2NSIsInR5cCI6IklEIn0._UG_-ZHgwdRnsp0gFdwChb7VlbPs-Gr_RNUz9EV7TggCD59qjCFAKjNrVHfOSVkKvYEMe0PvwfRKjnJl3A_mBA"",
"SignerType": 1
NOTE: You can use the
parameter to restrict the requested scopes, for example to"openid,policy_role_attribute"
, beingpolicy_role_attribute
a client_scope / client_mapper that maps a role attribute called policy to apolicy
claim returned by Keycloak.
These credentials can now be used to perform MinIO API operations.