• English

      • Auth: OIDC

      Auth: OIDCProfessional Edition+

      Introduction

      The Auth: OIDC plugin follows the OIDC (Open ConnectID) protocol standard, using the Authorization Code Flow, to allow users to sign in to NocoBase using accounts provided by third-party identity authentication service providers (IdP).

      Activate Plugin

      Add OIDC Authentication

      Enter the user authentication plugin management page.

      Add - OIDC

      Configuration

      Basic Configuration

      ConfigurationDescriptionVersion
      Sign up automatically when the user does not existWhether to automatically create a new user if no matching existing user is found.-
      IssuerThe issuer provided by the IdP, usually ending with /.well-known/openid-configuration.-
      Client IDThe Client ID-
      Client SecretThe Client Secret-
      scopeOptional, defaults to openid email profile.-
      id_token signed response algorithmThe signing algorithm for id_token, defaults to RS256.-
      Enable RP-initiated logoutEnables RP-initiated logout. Logs out the IdP session when the user logs out. The IdP logout callback should use the Post logout redirect URL provided in Usage.v1.3.44-beta

      Field Mapping

      ConfigurationDescription
      Field MapField mapping. NocoBase supports mapping fields such as nickname, email, and phone number. The default nickname uses openid.
      Use this field to bind the userUsed to match and bind with existing users. You can choose email or username, with email as the default. The IdP must provide email or username information.

      Advanced Configuration

      ConfigurationDescriptionVersion
      HTTPWhether the NocoBase callback URL uses HTTP protocol, default is https.-
      PortPort for the NocoBase callback URL, defaults to 443/80.-
      State tokenUsed to verify the request source and prevent CSRF attacks. You can provide a fixed value, but leaving it blank to generate random values by default is strongly recommended. If you use a fixed value, carefully evaluate your environment and security risks.-
      Pass parameters in the authorization code grant exchangeSome IdPs may require passing Client ID or Client Secret as parameters when exchanging a code for a token. You can select this option and specify the corresponding parameter names.-
      Method to call the user info endpointThe HTTP method used when requesting the user info API.-
      Where to put the access token when calling the user info endpointHow the access token is passed when calling the user info API:
      - Header - In the request header (default).
      - Body - In the request body, used with POST method.
      - Query parameters - As query parameters, used with GET method.      		-
      Skip SSL verificationSkip SSL verification when requesting the IdP API. This option exposes your system to risks of man-in-the-middle attacks. Only enable this option if you understand its purpose and implications. It is strongly discouraged in production environments.v1.3.40-beta

      Usage

      ConfigurationDescription
      Redirect URLUsed to configure the callback URL in the IdP.
      Post logout redirect URLUsed to configure the Post logout redirect URL in the IdP when RP-initiated logout is enabled.
      Info

      When testing locally, use 127.0.0.1 instead of localhost for the URL, as OIDC login requires writing state to the client cookie for security validation. If you see a flash of the login window but fail to log in successfully, check the server logs for state mismatch issues and ensure the state parameter is included in the request cookie. This issue often occurs when the state in the client cookie does not match the state in the request.

      Login

      Visit the login page and click the button below the login form to initiate third-party login.