OpenMetadata/openmetadata-docs/content/v1.6.x/deployment/security/oidc/index.md

---
title: OIDC Based Authentication
slug: /deployment/security/oidc
collate: false
---

# Setting up Any Oidc Provider
{%important%}

Security requirements for your **production** environment:
- **DELETE** the admin default account shipped by OM in case you had [Basic Authentication](/deployment/security/basic-auth)
  enabled before configuring the authentication with Auth0 SSO.
- **UPDATE** the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens). The keys we provide
  by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.

{%important%}

This guide provides instructions on setting up OpenID Connect (OIDC) configuration for your application. OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol that allows clients to verify the identity of the end-user.
Below configurations are universally applicable to all SSO provider like Google, Auth0, Okta, Keycloak, etc.

{% note %}

OpenMetadata sessions are currently stored **in-memory**, which may cause issues when using **OIDC authentication** in a multi-replica setup.

- If you are experiencing **authentication failures with "Missing state parameter" errors**, enabling **sticky sessions** can serve as a temporary workaround.

{% /note %}

Below are the configuration types to set up the OIDC Authentication with a Confidential Client type:

```yaml
  authenticationConfiguration:
    clientType: ${AUTHENTICATION_CLIENT_TYPE:-confidential}
    publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}
    oidcConfiguration:
      id: ${OIDC_CLIENT_ID:-""}
      type: ${OIDC_TYPE:-""} # google, azure etc.
      secret: ${OIDC_CLIENT_SECRET:-""}
      scope: ${OIDC_SCOPE:-"openid email profile"}
      discoveryUri: ${OIDC_DISCOVERY_URI:-""}
      useNonce: ${OIDC_USE_NONCE:-true}
      preferredJwsAlgorithm: ${OIDC_PREFERRED_JWS:-"RS256"}
      responseType: ${OIDC_RESPONSE_TYPE:-"code"}
      disablePkce: ${OIDC_DISABLE_PKCE:-true}
      callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
      serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"}
      clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
      tenant: ${OIDC_TENANT:-""}
      maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}
      customParams: ${OIDC_CUSTOM_PARAMS:-}
```
Check the more information about environment variable [here](/deployment/security/configuration-parameters).
Doc: Adding OIDC Docs (#17139) Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> 2024-07-23 13:08:59 +05:30			`---`
			`title: OIDC Based Authentication`
			`slug: /deployment/security/oidc`
DOCS - OSS deployment is flagged as Collate False (#17722) 2024-09-05 10:30:31 +02:00			`collate: false`
Doc: Adding OIDC Docs (#17139) Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> 2024-07-23 13:08:59 +05:30			`---`

			`# Setting up Any Oidc Provider`
			`{%important%}`

			`Security requirements for your production environment:`
			`- DELETE the admin default account shipped by OM in case you had [Basic Authentication](/deployment/security/basic-auth)`
			`enabled before configuring the authentication with Auth0 SSO.`
			`- UPDATE the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens). The keys we provide`
			`by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.`

			`{%important%}`

			`This guide provides instructions on setting up OpenID Connect (OIDC) configuration for your application. OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol that allows clients to verify the identity of the end-user.`
			`Below configurations are universally applicable to all SSO provider like Google, Auth0, Okta, Keycloak, etc.`

Docs: Note Addition in OIDC (#20292) Co-authored-by: Rounak Dhillon <rounakdhillon@Rounaks-MacBook-Air.local> Co-authored-by: Prajwal214 <167504578+Prajwal214@users.noreply.github.com> 2025-03-17 14:36:01 +05:30			`{% note %}`

			`OpenMetadata sessions are currently stored in-memory, which may cause issues when using OIDC authentication in a multi-replica setup.`

			`- If you are experiencing authentication failures with "Missing state parameter" errors, enabling sticky sessions can serve as a temporary workaround.`

			`{% /note %}`

Doc: Adding OIDC Docs (#17139) Co-authored-by: Prajwal Pandit <prajwalpandit@Prajwals-MacBook-Air.local> 2024-07-23 13:08:59 +05:30			`Below are the configuration types to set up the OIDC Authentication with a Confidential Client type:`

			```yaml
			`authenticationConfiguration:`
			`clientType: ${AUTHENTICATION_CLIENT_TYPE:-confidential}`
			`publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}`
			`oidcConfiguration:`
			`id: ${OIDC_CLIENT_ID:-""}`
			`type: ${OIDC_TYPE:-""} # google, azure etc.`
			`secret: ${OIDC_CLIENT_SECRET:-""}`
			`scope: ${OIDC_SCOPE:-"openid email profile"}`
			`discoveryUri: ${OIDC_DISCOVERY_URI:-""}`
			`useNonce: ${OIDC_USE_NONCE:-true}`
			`preferredJwsAlgorithm: ${OIDC_PREFERRED_JWS:-"RS256"}`
			`responseType: ${OIDC_RESPONSE_TYPE:-"code"}`
			`disablePkce: ${OIDC_DISABLE_PKCE:-true}`
			`callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}`
			`serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"}`
			`clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}`
			`tenant: ${OIDC_TENANT:-""}`
			`maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}`
			`customParams: ${OIDC_CUSTOM_PARAMS:-}`
			```
feat: Updated And Refactor Docs (#19211) * Updated Docs * Updated * updated image versions --------- Co-authored-by: Tarun <tarun.p@deuexsolutions.com> Co-authored-by: Prajwal214 <167504578+Prajwal214@users.noreply.github.com> 2025-01-03 18:10:07 +05:30			`Check the more information about environment variable [here](/deployment/security/configuration-parameters).`