Use OpenID Connect (OIDC) to authenticate users with a centralized identity provider.
- OIDC-compatible IdP (for example Keycloak, Entra ID, Authentik, Google)
- Public URL for Infram
- Registered OIDC client/application in your IdP
- Redirect URI configured in IdP and Infram
Configure in Settings -> Authentication -> Add OIDC Provider:
nameissuer(must match IdP metadata exactly)clientIdclientSecret(if confidential client)redirectUriscope(default:openid profile)
Recommended baseline scope:
openid profile email
Use the callback endpoint exposed by Infram:
https://<infram-host>/api/auth/oidc/callback
Warning
Redirect URI mismatch is the most common cause of failed OIDC sign-in.
Default mappings:
| Infram Field | OIDC Claim |
|---|---|
| Username | preferred_username |
| First Name | given_name |
| Last Name | family_name |
Adjust usernameAttribute, firstNameAttribute, and lastNameAttribute if your IdP uses non-standard claim names.
- Entra ID issuer:
https://login.microsoftonline.com/<tenant-id>/v2.0 - Google issuer:
https://accounts.google.com - Keycloak issuer:
https://<host>/realms/<realm> - Authentik issuer:
https://<host>/application/o/<slug>/
Always verify the issuer and endpoints through:
<issuer>/.well-known/openid-configuration
- Save provider configuration.
- Enable provider.
- Confirm login page displays provider button.
- Complete login flow and return to Infram.
- Verify mapped user profile fields after first login.
- Keep Infram behind HTTPS when using OIDC.
- Use confidential clients where supported.
- Restrict client redirect URIs to exact production URLs.
- Rotate client secrets according to security policy.
- Issuer mismatch: use exact
issuerfrom metadata. - Callback error: check redirect URI and proxy forwarding.
- Missing username/name fields: adjust scope and claim mapping.
- Login loop: verify system clock synchronization on both IdP and Infram hosts.