Authorization
The server delegates authentication to an external OpenID Connect (OIDC) provider and uses an organization-based model for access control.
How Access Works
How users and orgs map to your IDP.
Resource access modes and roles.
What permission errors mean and how to resolve them.
OIDC Requirements
The server discovers endpoints automatically via the provider’s .well-known/openid-configuration URL.
Scopes
| Scope | Purpose |
|---|---|
openid | Standard OIDC authentication |
profile | User profile information |
email | User email address |
offline_access | Refresh token support |
Claims
| Claim | Required | Purpose |
|---|---|---|
sub | Yes | Unique user identifier |
email | No | User email address |
aud | No | Validated against client_id if present |
Client Configuration
- Client type: Public (no client secret)
- Flow: Authorization Code
- Protocol mappers: email, audience, roles/groups
Server Configuration
| Variable | Description | Example |
|---|---|---|
AUTH__ISSUER | OIDC issuer URL | https://auth.example.com/realms/myrealm |
AUTH__CLIENT_ID | OIDC client ID | my-app |
AUTH__REFRESH_URL | Token refresh endpoint (optional) | https://auth.example.com/realms/myrealm/protocol/openid-connect/token |