OPA is a lightweight general-purpose policy engine that can be co-located with MinIO server, in this document we talk about how to use OPA HTTP API to authorize requests. It can be used with any type of credentials (STS based like OpenID or LDAP, regular IAM users or service accounts).

OPA is enabled through MinIO's Access Management Plugin feature.

## Get started

### 1. Start OPA in a container

```sh
podman run -it \
    --name opa \

name: Test

on:
  push:
    branches:
      - master
  pull_request:
    types:
      - opened
      - synchronize
  schedule:
    # cron every week on monday
    - cron: "0 0 * * 1"

env:
  UV_SYSTEM_PYTHON: 1

jobs:
  test:
    strategy:
      matrix:
        os: [ windows-latest, macos-latest ]
        python-version: [ "3.14" ]
        include:
          - os: ubuntu-latest

      TestCharSource okSource = new TestCharSource(STRING);
      assertThrows(IOException.class, () -> okSource.copyTo(new TestCharSink(option)));
      // ensure reader was closed IF it was opened (depends on implementation whether or not it's
      // opened at all if sink.newWriter() throws).
      assertTrue(
          "stream not closed when copying to sink with option: " + option,

# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://127.0.0.1:5556/dex

# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#

import jcifs.Configuration;
import jcifs.internal.smb1.ServerMessageBlock;
import jcifs.internal.util.SMBUtil;

/**
 * SMB1 Find Close2 request message.
 *
 * This command is used to close a search handle that was
 * opened by a Trans2 Find First2 request.
 */
public class SmbComFindClose2 extends ServerMessageBlock {

    private final int sid;

    /**
     * Creates a new SMB1 find close request to close a search handle.
     *

// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package openid

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"crypto/rsa"
	"encoding/base64"
	"errors"
	"fmt"
	"math/big"
)

// JWKS - https://tools.ietf.org/html/rfc7517

import jcifs.internal.smb1.ServerMessageBlock;
import jcifs.internal.util.SMBUtil;

/**
 * SMB1 Close file request message.
 *
 * This command is used to close a file that was previously opened
 * with an Open command.
 */
public class SmbComClose extends ServerMessageBlock implements Request<SmbComBlankResponse> {

    private static final Logger log = LoggerFactory.getLogger(SmbComClose.class);

name: Build Docs
on:
  push:
    branches:
      - master
  pull_request:
    types:
      - opened
      - synchronize

env:
  UV_SYSTEM_PYTHON: 1

jobs:
  changes:
    runs-on: ubuntu-latest
    # Required permissions
    permissions:
      pull-requests: read
    # Set job outputs to values from filter step
    outputs:
      docs: ${{ steps.filter.outputs.docs }}
    steps:
    - uses: actions/checkout@v6

import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;

import jakarta.annotation.PostConstruct;

    /**
     * Get the next set of changes
     *
     * Will block until the server returns a set of changes that match the given filter. The file will be automatically
     * opened if it is not and should be closed with {@link #close()} when no longer
     * needed.
     *
     * Closing the context should cancel a pending notify request, but that does not seem to work reliable in all