1.简介

minio官方提供二种第三方登录接入方法：

• OIDC: 所有支持open api v2的认证体系，例如 Okta、KeyCloak、Dex、Google 或 Facebook，用于用户身份的外部管理。
• LDAP

2.在google后台生成相关认证信息

{
    "web":{
        "client_id":"123456",
        "project_id":"test",
        "auth_uri":"https://accounts.google.com/o/oauth2/auth",
        "token_uri":"https://oauth2.googleapis.com/token",
         "client_secret":"abcd123",
        "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
        "redirect_uris":[
            "https://minio/oauth_callback"
        ],
        "javascript_origins":[
            "https://minio"
        ]
    }
}

3.安装minio

这里使用helm安装到k8s中，安装方法就不列出。

获取helm chart

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm fetch bitnami/minio --version 11.3.2

修改values.yaml,配置相关参数信息

extraEnvVars:
  - name: MINIO_IDENTITY_OPENID_CLIENT_ID
    value: "123456"
  - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
    value: "abcd123"
  - name: MINIO_IDENTITY_OPENID_REDIRECT_URI
    value: "https://minio/oauth_callback"
  - name: MINIO_IDENTITY_OPENID_SCOPES
    value: "openid,email,profile"
  - name: MINIO_IDENTITY_OPENID_CONFIG_URL
    value: "https://accounts.google.com/.well-known/openid-configuration"
  - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
    value: email

说明：

• MINIO_IDENTITY_OPENID_REDIRECT_URI：回调URL
• MINIO_IDENTITY_OPENID_CONFIG_URL：直接配置成google openapi的配置URL即可
• MINIO_IDENTITY_OPENID_CLAIM_NAME：重点，(取open api返回的字段中内容)[https://developers.google.com/identity/protocols/oauth2/openid-connect]，来绑定默认策略(比如这里用的email)

4.创建默认策略

策略文件：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::test/**"
            ]
    ]
}        

创建策略

$ mc admin policy add test abc@test.com minio-acces-policy.json

5.打开Web界面，跳转到google auth，使用abc@test.com邮箱登陆，就会自动绑定上述策略。

6.总结

不足之处：

• 当开启google openid登陆后，默认的admin user就无法登陆了
• 因为google jwt返回的信息有限，导致默认策略只能以邮箱为单位，无法提前定义