Nezha Server Monitoring

English

简体中文

English

简体中文

Appearance

Configuring OIDC Authentication

Modify the contents of config.yaml to configure OIDC (OpenID Connect) authentication. OIDC is an authentication layer on top of the OAuth 2.0 protocol, which allows applications to verify the identity of users based on the authentication performed by an Authorization Server. This method is widely used to implement single sign-on for modern applications.

Configuration Details

Here is a step-by-step guide to configuring the OIDC settings in your config.yaml:

yaml
oauth2:
  type: oidc  # (Required) Specifies the authentication type as OIDC
  oidcDisplayName: OIDC  # (Optional, default: OIDC) The name displayed on the login page
  admin: ""  # (Fill at least one of admin or adminGroups; default: empty) Admin usernames, separated by commas. Users listed here are considered administrators
  adminGroups: ""  # (Fill at least one of admin or adminGroups; default: empty) Admin groups, separated by commas. Users in these groups are considered administrators. Omit if group management is not used
  clientid: # (Required) OIDC client ID
  clientsecret: # (Required) OIDC client secret
  oidcIssuer: https://auth.example.com/realms/master  # (Required) The issuer URL of the OIDC provider, obtainable from your OIDC provider
  # oidcLogoutUrl: https://auth.example.com/realms/master/protocol/openid-connect/logout  # (Currently unusable due to a bug)
  # oidcRegisterUrl: # (Optional) Registration link provided by the OIDC provider
  oidcScopes: openid,profile,email  # (Optional, default: openid,profile,email) OIDC scopes requested, separated by commas
  oidcLoginClaim: sub  # (Optional, default: sub) The username field returned by OIDC, can be preferred_username, sub, or email
  oidcGroupsClaim: groups  # (Required if using adminGroups, default: groups) The user group information field returned by OIDC, can be groups or roles
  oidcAutoCreate: false  # (Optional, default: false) Whether to automatically create a user if they do not exist
  oidcAutoLogin: false  # (Optional, default: false) Whether to automatically redirect to the OIDC login page when the path is /login