mirror of
https://github.com/open-metadata/OpenMetadata.git
synced 2025-10-24 07:14:48 +00:00
54 lines
2.6 KiB
Markdown
54 lines
2.6 KiB
Markdown
---
|
|
title: OIDC Based Authentication | Official Documentation
|
|
description: Enable OIDC-based authentication to unify identity providers using open standards, access tokens, and flexible integration patterns.
|
|
slug: /deployment/security/oidc
|
|
collate: false
|
|
---
|
|
|
|
# Setting up Any Oidc Provider
|
|
{%important%}
|
|
|
|
Security requirements for your **production** environment:
|
|
- **DELETE** the admin default account shipped by OM in case you had [Basic Authentication](/deployment/security/basic-auth)
|
|
enabled before configuring the authentication with Auth0 SSO.
|
|
- **UPDATE** the Private / Public keys used for the [JWT Tokens](/deployment/security/enable-jwt-tokens). The keys we provide
|
|
by default are aimed only for quickstart and testing purposes. They should NEVER be used in a production installation.
|
|
|
|
{%important%}
|
|
|
|
This guide provides instructions on setting up OpenID Connect (OIDC) configuration for your application. OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol that allows clients to verify the identity of the end-user.
|
|
Below configurations are universally applicable to all SSO provider like Google, Auth0, Okta, Keycloak, etc.
|
|
|
|
{% note %}
|
|
|
|
OpenMetadata sessions are currently stored **in-memory**, which may cause issues when using **OIDC authentication** in a multi-replica setup.
|
|
|
|
- If you are experiencing **authentication failures with "Missing state parameter" errors**, enabling **sticky sessions** can serve as a temporary workaround.
|
|
|
|
{% /note %}
|
|
|
|
Below are the configuration types to set up the OIDC Authentication with a Confidential Client type:
|
|
|
|
```yaml
|
|
authenticationConfiguration:
|
|
clientType: ${AUTHENTICATION_CLIENT_TYPE:-confidential}
|
|
publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}
|
|
oidcConfiguration:
|
|
id: ${OIDC_CLIENT_ID:-""}
|
|
type: ${OIDC_TYPE:-""} # google, azure etc.
|
|
secret: ${OIDC_CLIENT_SECRET:-""}
|
|
scope: ${OIDC_SCOPE:-"openid email profile"}
|
|
discoveryUri: ${OIDC_DISCOVERY_URI:-""}
|
|
useNonce: ${OIDC_USE_NONCE:-true}
|
|
preferredJwsAlgorithm: ${OIDC_PREFERRED_JWS:-"RS256"}
|
|
responseType: ${OIDC_RESPONSE_TYPE:-"code"}
|
|
disablePkce: ${OIDC_DISABLE_PKCE:-true}
|
|
callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
|
|
serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"}
|
|
clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
|
|
tenant: ${OIDC_TENANT:-""}
|
|
maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}
|
|
customParams: ${OIDC_CUSTOM_PARAMS:-}
|
|
```
|
|
Check the more information about environment variable [here](/deployment/security/configuration-parameters).
|