diff --git a/modules/services/authentik.tf b/modules/services/authentik.tf
index 80ce95d..618f8e1 100644
--- a/modules/services/authentik.tf
+++ b/modules/services/authentik.tf
@@ -28,32 +28,6 @@ resource "authentik_user" "default" {
   email    = var.admin_email
 }
 
-resource "authentik_property_mapping_provider_scope" "minio" {
-  name       = "minio"
-  scope_name = "minio"
-  expression = <<EOF
-if ak_is_group_member(request.user, name="${authentik_group.minio_admins.name}"):
-  return {
-      "minio_policy": "consoleAdmin",
-}
-elif ak_is_group_member(request.user, name="${authentik_group.minio_users.name}"):
-  return {
-      "minio_policy": "readonly"
-}
-return None
-EOF
-}
-
-resource "authentik_group" "minio_admins" {
-  name         = "Minio admins"
-  users        = [authentik_user.default.id]
-}
-
-resource "authentik_group" "minio_users" {
-  name         = "Minio users"
-  users        = []
-}
-
 resource "authentik_group" "grafana_grafana_admins" {
   name    = "Grafana GrafanaAdmins"
   users   = [authentik_user.default.id]
@@ -83,10 +57,7 @@ resource "authentik_provider_oauth2" "service_providers" {
       matching_mode = "strict",
       url           = redir,
   }]
-  property_mappings  = flatten([
-      data.authentik_property_mapping_provider_scope.default_scopes.ids,
-      each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
-  ])
+  property_mappings  = data.authentik_property_mapping_provider_scope.default_scopes.ids
   signing_key        = (each.value.auth_cert == "rsa" ?
       data.authentik_certificate_key_pair.rsa.id :
       data.authentik_certificate_key_pair.ecdsa.id)
diff --git a/playbooks/roles/minio/vars/main.yml b/playbooks/roles/minio/vars/main.yml
index dca102b..1dc540c 100644
--- a/playbooks/roles/minio/vars/main.yml
+++ b/playbooks/roles/minio/vars/main.yml
@@ -20,13 +20,6 @@ minio_env:
   MINIO_ROOT_USER: "{{ vault_minio.user }}"
   MINIO_ROOT_PASSWORD: "{{ vault_minio.pass }}"
 
-  MINIO_IDENTITY_OPENID_CONFIG_URL: "{{ (opentofu.authentik_data.minio.base_url, '.well-known/openid-configuration') | path_join }}"
-  MINIO_IDENTITY_OPENID_CLIENT_ID: "{{ opentofu.authentik_data.minio.client_id }}"
-  MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ opentofu.authentik_data.minio.client_secret }}"
-  MINIO_IDENTITY_OPENID_CLAIM_NAME: minio_policy
-  MINIO_IDENTITY_OPENID_DISPLAY_NAME: auth.serguzim.me
-  MINIO_IDENTITY_OPENID_SCOPES: openid,email,profile,minio
-
 
 minio_compose:
   watchtower: update
diff --git a/services.auto.tfvars b/services.auto.tfvars
index ccc7526..31914b3 100644
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@@ -497,7 +497,7 @@ services = {
       url = "/minio/health/live"
       group = "7-support"
     }
-    auth = true
+    auth = false
     auth_redirects = ["https://console.s3.serguzim.me/oauth_callback"]
     database = false
   },
diff --git a/shell.nix b/shell.nix
index 77b4051..911432f 100644
--- a/shell.nix
+++ b/shell.nix
@@ -5,6 +5,7 @@ mkShell {
 		ansible-lint
 		d2
 		dnscontrol
+		minio-client
 		opentofu
 		python3Packages.jinja2
 		python3Packages.bc-python-hcl2