-
-
Notifications
You must be signed in to change notification settings - Fork 22
OpenID Connect
OIDC allows you to use an external authentication service (Authentik, Keycloak, etc.) for user and group authentication. It can be configured in Settings>Security. The following six settings are required to successfully set up oidc. Ensure you use the correct values. Incorrect values or changing values on your authentication server in the future can cause lead to locking you out of the service. In those cases head to Getting "locked" out.
-
well-knownconfiguration endpoint: This is located at/realms/{realm-name}/.well-known/openid-configurationfor keycloak or/application/o/{issuer}/.well-known/openid-configurationfor authentik. - username claim: The claim that should be used for usernames. The username has to be unique. NOTE: Any user logging in with the username of the root admin account will be root admin, no matter what group they're assigned.
- group claim: This is the claim that contains the group of each user. It should either be a string or a list of strings with one of the following case-insensitive values:
untrusted,trusted, oradmin. Any user without any groups is assigned theuntrustedrole. - scope: The scopes required to get all the necessary information. The scope
openidis almost always required. You need to add all required scopes to that the username and group claim is available. - client id
- client secret
In your auth server settings, make sure you allow for redirecting to /auth/oidc. The oidc-login flow will redirect you there after you log in. Additionally, the access token expiry time from the authentication server will be used if provided. This might be fairly low by default.
Applying settings does not directly invalidate your current session. To test OIDC-settings, press the "log out" button to invalidate your current session.
Warning
In the case of an OIDC misconfiguration, i.e. changing a setting like your client secret on your auth server, can cause you to be locked out. In these cases, you can head to /login?backup=1, where you can log in using your root admin credentials allowing you to correctly configure any settings.