Categories
Uncategorized

Minio uses the OAuth 2.0 Implicit flow to Auth with OpenIDC

Minio’s web application is a single page application.

As far as I can tell it is frontend only and works like a single page application.

That is why when setting up the the client for minio on keycloak.
We set implicit flow to True.

In that case there is no authorization code – and no client secret.
After auth the access token is sent to minio on the front channel. Still need to verify this happens in querystring.
Implicit flow was designed for frontend only single page applications and hence no back channel request can be made.

The client does not go through the extra backchannel step of changing the authorization code for the access token by authenticating with the client id.