extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-08-18 19:58:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
zrok/docs/guides/self-hosting/oauth/integrations/oidc.md
Michael Quigley 9363cb5d21 docs (#968)
2025-08-04 15:56:45 -04:00

82 lines
2.3 KiB
Markdown
Raw Permalink Blame History

---
sidebar_position: 30
---
# Generic OIDC Setup
This guide covers setting up OpenID Connect (OIDC) providers for your zrok public frontend. OIDC is supported by many identity providers including Keycloak, Auth0, Okta, Azure AD, and others.
## Provider Requirements
Your OIDC provider must support:
- Authorization Code flow
- Discovery endpoint (optional but recommended)
- PKCE (Proof Key for Code Exchange) - optional but recommended for security
## Configure OIDC Provider
1. Create a new OAuth/OIDC client in your provider's admin interface
2. Set the **redirect URI** to: `https://your-oauth-frontend-domain:port/<provider-name>/auth/callback`
3. Configure required scopes: `openid`, `email`, `profile`
4. Note the **client ID**, **client secret**, and **issuer URL**
## Frontend Configuration
Add the OIDC provider to your `frontend.yml`:
```yaml
oauth:
providers:
- name: "my-oidc-provider"
type: "oidc"
client_id: "<your-oidc-client-id>"
client_secret: "<your-oidc-client-secret>"
scopes: ["openid", "email", "profile"]
issuer: "https://your-oidc-provider.com"
supports_pkce: true # recommended for security
```
### Configuration Options
- **`name`**: Unique identifier for this provider (used in share commands)
- **`type`**: Must be `"oidc"` for OpenID Connect providers
- **`client_id`** and **`client_secret`**: OAuth client credentials from your provider
- **`scopes`**: OAuth scopes to request (typically `["openid", "email", "profile"]`)
- **`issuer`**: The OIDC issuer URL (used for auto-discovery)
- **`discovery_url`**: Optional explicit discovery endpoint URL (if not using issuer auto-discovery)
- **`supports_pkce`**: Whether the provider supports PKCE (recommended: `true`)
## Common OIDC Providers
### Keycloak
```yaml
issuer: "https://your-keycloak.com/realms/your-realm"
```
### Auth0
```yaml
issuer: "https://your-domain.auth0.com/"
```
### Azure AD
```yaml
issuer: "https://login.microsoftonline.com/<tenant-id>/v2.0"
```
### Okta
```yaml
issuer: "https://your-domain.okta.com/oauth2/default"
```
## Redirect URL Format
For OIDC providers, the redirect URL should use your configured provider name:
```
https://your-oauth-frontend-domain:port/<provider-name>/auth/callback
```
For example, with the provider name `"my-oidc-provider"`:
```
https://your-oauth-frontend-domain:port/my-oidc-provider/auth/callback
```
Reference in New Issue View Git Blame Copy Permalink