OpenID Connect (OIDC)
OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. Bytebase supports using OIDC for configuring Single Sign-On (SSO).
Configuration
info
-
Please make sure the
--external-url
is configured correctly for the Bytebase instance.If your start Bytebase with
--external-url https://bytebase.example.com
, then your application redirect URL should behttps://bytebase.example.com/oidc/callback
. -
If you're unsure about the Issuer of your IdP, you can always use the OpenID Connect Discovery endpoint to find the correct value, e.g.
https://acme.okta.com/.well-known/openid-configuration
.
Basic information:
- Name: the display name shown to your users (e.g. "Google" will be shown as "Sign in with Google")
- Resource ID: a human-readable unique string, only lower-case alphabets and hyphens are allowed (e.g. "google")
- Domain: the domain name to scope associated users (e.g. "google.com")
Identity provider information:
- Issuer: the issuer of the response (e.g. "https://accounts.google.com")
- Client ID: the client ID of your application
- Client secret: the client secret of your application
User information field mapping:
- Identifier: the claims field to be used as the Bytebase user identifier (e.g. "username")
- Display name: the claims field to be used as the Bytebase user display name (e.g. "name", optional)
- Email: the claims field to be used as the Bytebase user email address (e.g. "email", optional)
- Follow the Google OpenID Connect documentation to create a new OAuth client ID with "Web application" as the Application type.
- Configure the Authorized redirect URIs to be
{EXTERNAL_URL}/oidc/callback
. - In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Google
- Resource ID:
google
- Domain:
google.com
- Issuer:
https://accounts.google.com
- Client ID: the client ID of your application
- Client secret: the client secret of your application
- Identifier:
email
- Display name:
name
- Email:
email
- Name:
GitLab
- Follow the documentation of configure GitLab as an OAuth 2.0 authentication identity provider to create a new OAuth application:
- Configure the Scopes to include
openid
,profile
andemail
. - Configure the Redirect URI to be
{EXTERNAL_URL}/oidc/callback
.
- Configure the Scopes to include
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
GitLab
- Resource ID:
gitlab
- Domain:
gitlab.acme.com
- Issuer:
https://gitlab.acme.com
- Client ID: the application ID of your application
- Client secret: the secret of your application
- Identifier:
nickname
- Display name:
name
- Email:
email
- Name:
info
In some GitLab self-hosted setups, the Issuer is http://gitlab.acme.com
(HTTP) instead of https://gitlab.acme.com
(HTTPS) despite the latter being the URL used to access the instance.
Okta
- Follow the Okta create OIDC app integrations documentation to create a new OIDC app integration with "Web Application" as the Application type.
- Configure the Sign-in redirect URIs to be
{EXTERNAL_URL}/oidc/callback
. - Configure the Assignments > Controlled access to be Allow everyone in your organization to access.
- Configure the Sign-in redirect URIs to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Okta
- Resource ID:
okta
- Domain:
acme.okta.com
- Issuer:
https://acme.okta.com
- Client ID: the client ID of your application
- Client secret: the client secret of your application
- Identifier:
preferred_username
- Display name:
name
- Email:
email
- Name:
Keycloak
- Follow the Keycloak create OIDC provider documentation to create a new "OpenID Connect" client.
- Configure the Client ID to be
bytebase
. - Configure the Valid redirect URIs to be
{EXTERNAL_URL}/oidc/callback
. - Turn on the Capability config > Client authentication for the Credentials tab to be available (which will generate and display the client secret).
- In some older versions, configure Access Type to "confidential" instead.
- Configure the Client ID to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Keycloak
- Resource ID:
keycloak
- Domain:
keycloak.acme.com
- Issuer:
https://keycloak.acme.com/auth/realms/master
- Client ID:
bytebase
- Client secret: the client secret of your application
- Identifier:
preferred_username
- Display name:
name
- Email:
email
- Name:
Casdoor
- Follow the Casdoor Casdoor documentation to create a new application.
- Configure the Client ID and Client secret to be
bytebase
. - Configure the Valid redirect URIs to be
{EXTERNAL_URL}/oidc/callback
.
- Configure the Client ID and Client secret to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Casdoor
- Resource ID:
casdoor
- Domain:
<your casdoor host>
- Issuer:
<your casdoor host>
- Client ID: the client id of your application
- Client secret: the client secret of your application
- Identifier:
preferred_username
- Display name:
name
- Email:
email
- Name:
Authing
- Follow the Authing 创建自建应用 to create a new "标准 Web 应用" as "自建应用".
- In 应用配置, configure the 登录回调 URL to be
{EXTERNAL_URL}/oidc/callback
. - In 协议配置, configure the id_token 签名算法 to be
RS256
.
- In 应用配置, configure the 登录回调 URL to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Authing
- Resource ID:
authing
- Domain:
acme.authing.cn
- Issuer:
https://acme.authing.cn/oidc
- Client ID: the app ID of your application
- Client secret: the app secret of your application
- Identifier:
username
- Display name:
name
- Email:
email
- Name: