You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3.8 KiB
3.8 KiB
Keycloak Quickstart Guide
Keycloak is an open source Identity and Access Management solution aimed at modern applications and services, this document covers configuring Keycloak to be used as an identity provider for MinIO server STS API.
1. Prerequisites
- JAVA 1.8 and above installed
- Download and start Keycloak server by following the installation guide (finish upto section 3.4)
2. Configure Keycloak
- Go to Users -> Click on the user -> Attribute, add a new attribute
Key
ispolicy
,Value
is name of the policy in minio (ex:readwrite
). Click Add and then Save. - Go to Clients -> Click on
account
-> Settings, setValid Redirect URIs
to*
, expandAdvanced Settings
and setAccess Token Lifespan
to1 Hours
, then Save. - Go to Clients -> Client on
account
-> Mappers -> Create,Name
can be any text,Mapper Type
isUser Attribute
,User Attribute
ispolicy
,Token Claim Name
ispolicy
,Claim JSON Type
isstring
, then Save. - Open http://localhost:8080/auth/realms/demo/.well-known/openid-configuration and see if it has
authorization_endpoint
andjwks_uri
3. Configure MinIO
$ export MINIO_ACCESS_KEY=minio
$ export MINIO_SECRET_KEY=minio123
$ minio server /mnt/export
Set identity_openid
config and restart MinIO
~ mc admin config set myminio identity_openid config_url="http://localhost:8080/auth/realms/demo/.well-known/openid-configuration" state="on"
Once successfully set restart the MinIO instance.
mc admin service restart myminio
4. Using WebIdentiy API
Client ID and Client Secret can be found by clicking any of the clients listed here. If you have followed the above steps docs, the default Client ID will be account
and Client Secret can be found under Credentials
tab.
$ go run web-identity.go -cid account -csec e61cb282-745b-4113-bece-29b921c735f0 -auth-ep http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth -token-ep http://localhost:8080/auth/realms/demo/protocol/openid-connect/token -port 8888
2018/12/26 17:49:36 listening on http://localhost:8888/
This will open the login page of keycloak, upon successful login, STS credentials will be printed on the screen, for example
##### Credentials
{
"accessKey": "6N2BALX7ELO827DXS3GK",
"secretKey": "23JKqAD+um8ObHqzfIh+bfqwG9V8qs9tFY6MqeFR",
"expiration": "2019-10-01T07:22:34Z",
"sessionToken": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiI2TjJCQUxYN0VMTzgyN0RYUzNHSyIsImFjciI6IjAiLCJhdWQiOiJhY2NvdW50IiwiYXV0aF90aW1lIjoxNTY5OTEwNTUyLCJhenAiOiJhY2NvdW50IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE1Njk5MTQ1NTQsImlhdCI6MTU2OTkxMDk1NCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL2F1dGgvcmVhbG1zL2RlbW8iLCJqdGkiOiJkOTk4YTBlZS01NDk2LTQ4OWYtYWJlMi00ZWE5MjJiZDlhYWYiLCJuYmYiOjAsInBvbGljeSI6InJlYWR3cml0ZSIsInByZWZlcnJlZF91c2VybmFtZSI6Im5ld3VzZXIxIiwic2Vzc2lvbl9zdGF0ZSI6IjJiYTAyYTI2LWE5MTUtNDUxNC04M2M1LWE0YjgwYjc4ZTgxNyIsInN1YiI6IjY4ZmMzODVhLTA5MjItNGQyMS04N2U5LTZkZTdhYjA3Njc2NSIsInR5cCI6IklEIn0._UG_-ZHgwdRnsp0gFdwChb7VlbPs-Gr_RNUz9EV7TggCD59qjCFAKjNrVHfOSVkKvYEMe0PvwfRKjnJl3A_mBA"
}
These credentials can now be used to perform MinIO API operations.
5. Using MinIO Browser
- Open MinIO url on the browser, for example
http://localhost:9000
- Click on
Log in with OpenID
- Provide
Client ID
and press ENTER - Now the user will be redirected to the Keycloak login page, upon successful login the user will be redirected to MinIO page and logged in automatically