OIDC

You can configure tofutf to sign users in using OpenID-Connect (opens in a new tab) (OIDC). The OIDC authentication provider allows using an upstream identity provider (IdP) such as Azure AD (opens in a new tab), Google (opens in a new tab), or Dex (opens in a new tab).

Configure OIDC on your preferred IdP (the extra process depends on the IdP):

• Set the OIDC scopes to match those configured in tofutf (see below).

• Set the redirect URI to:

  https://<tofutfd_install_hostname>/oauth/<oidc_name>/callback (see below for configuring the oidc_name)

Once you've configured OIDC on the IdP, take a note of the client ID and client secret.

Set the following flags when running tofutfd:

• --oidc-name=<oidc_name> - the user-friendly name of the IdP. This can be something like azure-sso, or google. Note that this affects the redirect URI you configure on the IdP (see above).
• --oidc-issuer-url=<issuer-url> - the URL of the IdP's OIDC configuration. This varies depending on the IdP.
• --oidc-client-id=<client-id> - the client ID generated by the IdP.
• --oidc-client-secret=<client-secret> - the client secret generated by the IdP.

Optionally, you can set additional flags to override defaults:

• --oidc-scopes=<scope1,scope2,...> - overrides the scopes (opens in a new tab). The default is openid,profile. You should at a minimum specify the openid scope.
• --oidc-username-claim=<claim> - this determines which claim is mapped to a username in tofutf. It defaults to name. You can set it to name, email, or sub.

!!! note If you override the claim you may well need to override the scopes too, e.g. the email claim often needs the email scope configured.

Now when you start tofutfd, navigate to its URL in your browser and you'll be prompted to login with your OIDC provider: