mirror of
				https://github.com/open-metadata/OpenMetadata.git
				synced 2025-10-25 07:42:40 +00:00 
			
		
		
		
	 c51e0ca606
			
		
	
	
		c51e0ca606
		
			
		
	
	
	
	
		
			
			Co-authored-by: Rounak Dhillon <rounakdhillon@Rounaks-MacBook-Air.local> Co-authored-by: Prajwal214 <167504578+Prajwal214@users.noreply.github.com>
		
			
				
	
	
	
		
			2.5 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	
			2.5 KiB
		
	
	
	
	
	
	
	
| title | slug | collate | 
|---|---|---|
| OIDC Based Authentication | /deployment/security/oidc | false | 
Setting up Any Oidc Provider
{%important%}
Security requirements for your production environment:
- DELETE the admin default account shipped by OM in case you had Basic Authentication enabled before configuring the authentication with Auth0 SSO.
- UPDATE the Private / Public keys used for the JWT Tokens. The keys we provide by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.
{%important%}
This guide provides instructions on setting up OpenID Connect (OIDC) configuration for your application. OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol that allows clients to verify the identity of the end-user. Below configurations are universally applicable to all SSO provider like Google, Auth0, Okta, Keycloak, etc.
{% note %}
OpenMetadata sessions are currently stored in-memory, which may cause issues when using OIDC authentication in a multi-replica setup.
- If you are experiencing authentication failures with "Missing state parameter" errors, enabling sticky sessions can serve as a temporary workaround.
{% /note %}
Below are the configuration types to set up the OIDC Authentication with a Confidential Client type:
  authenticationConfiguration:
    clientType: ${AUTHENTICATION_CLIENT_TYPE:-confidential}
    publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}
    oidcConfiguration:
      id: ${OIDC_CLIENT_ID:-""}
      type: ${OIDC_TYPE:-""} # google, azure etc.
      secret: ${OIDC_CLIENT_SECRET:-""}
      scope: ${OIDC_SCOPE:-"openid email profile"}
      discoveryUri: ${OIDC_DISCOVERY_URI:-""}
      useNonce: ${OIDC_USE_NONCE:-true}
      preferredJwsAlgorithm: ${OIDC_PREFERRED_JWS:-"RS256"}
      responseType: ${OIDC_RESPONSE_TYPE:-"code"}
      disablePkce: ${OIDC_DISABLE_PKCE:-true}
      callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
      serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"}
      clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
      tenant: ${OIDC_TENANT:-""}
      maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}
      customParams: ${OIDC_CUSTOM_PARAMS:-}
Check the more information about environment variable here.