Skip to main content

Integrate with MinIO

Support level: Community

What is MinIO?

MinIO is an S3-compatible object storage platform for AI, analytics, and data-intensive workloads.

-- https://www.min.io/

Preparation

The following placeholders are used in this guide:

  • minio.company is the FQDN of the MinIO installation.
  • authentik.company is the FQDN of the authentik installation.
MinIO product status

The MinIO community repository is no longer maintained, and legacy pre-built community binaries are no longer maintained. MinIO directs new deployments to AIStor Free or AIStor Enterprise.

info

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

authentik configuration

Redirect URI changes in authentik 2026.5

In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.

To support the integration of MinIO with authentik, you need to create a scope mapping, an application/provider pair, and application entitlements in authentik.

Create a scope mapping

MinIO uses the policy claim to assign MinIO policies to OIDC users. Create a scope mapping to pass authentik application entitlements as MinIO policy names.

  1. Log in to authentik as an administrator and open the authentik Admin interface.

  2. Navigate to Customization > Property mappings and click Create.

  3. Select Scope Mapping as the property mapping type.

  4. Configure the following settings:

    • Name: provide a descriptive name, such as MinIO policies.

    • Scope name: minio

    • Expression:

      return {
      "policy": [
      entitlement.name
      for entitlement in request.user.app_entitlements(provider.application)
      ],
      }
  5. Click Finish.

Create an application and provider

  1. Log in to authentik as an administrator and open the authentik Admin interface.

  2. Navigate to Applications > Applications and click New Application to open the application wizard.

    • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the Slug value because it will be required later.
    • Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
    • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
      • Note the Client ID and Client Secret values because they will be required later.
      • Add a Redirect URI of type Strict Authorization as https://minio.company/oauth_callback.
      • Select any available signing key.
      • Under Advanced protocol settings > Selected Scopes, add the scope mapping that you created in the previous section.
    • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
  3. Click Submit to save the new application and provider.

Create application entitlements

Use application entitlements to represent the MinIO policies that this application should assign.

  1. Open the MinIO application that you just created in the authentik Admin interface.
  2. Click the Application entitlements tab.
  3. Create one entitlement for each MinIO policy that users should be able to receive, such as readonly.
  4. Bind the appropriate users or groups to each entitlement.

The entitlement names must exactly match existing MinIO policy names. Users who authenticate without at least one matching policy have no permissions in MinIO.

MinIO configuration

Create the MinIO policies that correspond to your authentik application entitlement names before users sign in. You can create policies in the MinIO Console or with the mc admin policy commands. Designing bucket policies is outside the scope of this guide.

You can set up OIDC in three different ways: with environment variables, the web interface, or the command line.

You can configure MinIO OIDC settings using environment variables.

Add the following variables to your environment file:

.env
MINIO_IDENTITY_OPENID_CONFIG_URL="https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"
MINIO_IDENTITY_OPENID_CLIENT_ID="<Client ID from authentik>"
MINIO_IDENTITY_OPENID_CLIENT_SECRET="<Client Secret from authentik>"
MINIO_IDENTITY_OPENID_DISPLAY_NAME="authentik"
MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email,minio"

Restart MinIO for the changes to take effect.

Configuration verification

To confirm that authentik is properly configured with MinIO, open MinIO and sign in with authentik. After authentication, verify that the signed-in user receives the expected MinIO policy permissions.

Resources