Integrate with MinIO
Support level: Community
What is MinIO?
MinIO is an S3-compatible object storage platform for AI, analytics, and data-intensive workloads.
Preparation
The following placeholders are used in this guide:
minio.companyis the FQDN of the MinIO installation.authentik.companyis the FQDN of the authentik installation.
The MinIO community repository is no longer maintained, and legacy pre-built community binaries are no longer maintained. MinIO directs new deployments to AIStor Free or AIStor Enterprise.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
authentik configuration
In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.
To support the integration of MinIO with authentik, you need to create a scope mapping, an application/provider pair, and application entitlements in authentik.
Create a scope mapping
MinIO uses the policy claim to assign MinIO policies to OIDC users. Create a scope mapping to pass authentik application entitlements as MinIO policy names.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Customization > Property mappings and click Create.
-
Select Scope Mapping as the property mapping type.
-
Configure the following settings:
-
Name: provide a descriptive name, such as
MinIO policies. -
Scope name:
minio -
Expression:
return {"policy": [entitlement.namefor entitlement in request.user.app_entitlements(provider.application)],}
-
-
Click Finish.
Create an application and provider
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the Slug value because it will be required later.
- Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the Client ID and Client Secret values because they will be required later.
- Add a Redirect URI of type
StrictAuthorizationashttps://minio.company/oauth_callback. - Select any available signing key.
- Under Advanced protocol settings > Selected Scopes, add the scope mapping that you created in the previous section.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
-
Click Submit to save the new application and provider.
Create application entitlements
Use application entitlements to represent the MinIO policies that this application should assign.
- Open the MinIO application that you just created in the authentik Admin interface.
- Click the Application entitlements tab.
- Create one entitlement for each MinIO policy that users should be able to receive, such as
readonly. - Bind the appropriate users or groups to each entitlement.
The entitlement names must exactly match existing MinIO policy names. Users who authenticate without at least one matching policy have no permissions in MinIO.
MinIO configuration
Create the MinIO policies that correspond to your authentik application entitlement names before users sign in. You can create policies in the MinIO Console or with the mc admin policy commands. Designing bucket policies is outside the scope of this guide.
You can set up OIDC in three different ways: with environment variables, the web interface, or the command line.
- Environment variables
- Web interface
- Command line
You can configure MinIO OIDC settings using environment variables.
Add the following variables to your environment file:
MINIO_IDENTITY_OPENID_CONFIG_URL="https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"
MINIO_IDENTITY_OPENID_CLIENT_ID="<Client ID from authentik>"
MINIO_IDENTITY_OPENID_CLIENT_SECRET="<Client Secret from authentik>"
MINIO_IDENTITY_OPENID_DISPLAY_NAME="authentik"
MINIO_IDENTITY_OPENID_SCOPES="openid,profile,email,minio"
Restart MinIO for the changes to take effect.
In the MinIO Console, navigate to Access > OpenID, click Add Configuration, and configure the following settings:
- Name:
authentik - Config URL:
https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration - Client ID: Client ID from authentik
- Client Secret: Client Secret from authentik
- Scopes:
openid,profile,email,minio - Redirect URI:
https://minio.company/oauth_callback
Click Save, then restart MinIO for the changes to take effect.
Install and configure the MinIO Client (mc) with an alias for your MinIO deployment. The example below uses myminio as the alias.
Run the following command to configure the OpenID provider:
mc idp openid add myminio authentik \
config_url="https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration" \
client_id="<Client ID from authentik>" \
client_secret="<Client Secret from authentik>" \
display_name="authentik" \
scopes="openid,profile,email,minio" \
redirect_uri="https://minio.company/oauth_callback"
Restart MinIO for the changes to take effect.
Configuration verification
To confirm that authentik is properly configured with MinIO, open MinIO and sign in with authentik. After authentication, verify that the signed-in user receives the expected MinIO policy permissions.