OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. Bytebase supports using OIDC for configuring Single Sign-On (SSO).
Configuration
-
Please make sure the
--external-url
is configured correctly for the Bytebase instance.If your start Bytebase with
--external-url https://bytebase.example.com
, then your application redirect URL should behttps://bytebase.example.com/oidc/callback
. -
If you're unsure about the Issuer of your IdP, you can always use the OpenID Connect Discovery (opens in a new tab) endpoint to find the correct value, e.g.
https://acme.okta.com/.well-known/openid-configuration
.
Basic information:
- Name: the display name shown to your users (e.g.
Google
will be shown asSign in with Google
) - Identity Provider ID: a human-readable unique string, only lower-case alphabets and hyphens are allowed (e.g.
google
) - Domain: the domain name to scope associated users (e.g.
google.com
, optional)
Identity provider information:
- Issuer: the issuer of the response (e.g.
https://accounts.google.com
) - Client ID: the client ID of your application
- Client secret: the client secret of your application
User information field mapping:
- Email: the claims field to be used as the Bytebase user email address (e.g.
email
) - Display name: the claims field to be used as the Bytebase user display name (e.g.
name
, optional) - Phone: the claims field to be used as the Bytebase user phone number (e.g.
phone
, optional)
- Follow the Google OpenID Connect documentation (opens in a new tab) to create a new OAuth client ID with "Web application" as the Application type.
- Configure the Authorized redirect URIs to be
{EXTERNAL_URL}/oidc/callback
. - In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Google
- Identity Provider ID:
google
- Domain:
google.com
- Issuer:
https://accounts.google.com
- Client ID: the client ID of your application
- Client secret: the client secret of your application
- Email:
email
- Display name:
name
- Name:
GitLab
- Follow the documentation of configure GitLab as an OAuth 2.0 authentication identity provider (opens in a new tab) to create a new OAuth application:
- Configure the Scopes to include
openid
,profile
andemail
. - Configure the Redirect URI to be
{EXTERNAL_URL}/oidc/callback
.
- Configure the Scopes to include
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
GitLab
- Identity Provider ID:
gitlab
- Domain:
gitlab.acme.com
- Issuer:
https://gitlab.acme.com
- Client ID: the application ID of your application
- Client secret: the secret of your application
- Email:
email
- Display name:
name
- Name:
In some GitLab self-hosted setups, the Issuer is http://gitlab.acme.com
(HTTP) instead of https://gitlab.acme.com
(HTTPS) despite the latter being the URL used to access the instance.
Okta
- Follow the Okta create OIDC app integrations documentation (opens in a new tab) to create a new OIDC app integration with "Web Application" as the Application type.
- Configure the Sign-in redirect URIs to be
{EXTERNAL_URL}/oidc/callback
. - Configure the Assignments > Controlled access to be Allow everyone in your organization to access.
- Configure the Sign-in redirect URIs to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Okta
- Identity Provider ID:
okta
- Domain:
acme.okta.com
- Issuer:
https://acme.okta.com
- Client ID: the client ID of your application
- Client secret: the client secret of your application
- Email:
email
- Display name:
name
- Name:
Keycloak
- Follow the Keycloak create OIDC provider documentation (opens in a new tab) to create a new "OpenID Connect" client.
- Configure the Client ID to be
bytebase
. - Configure the Valid redirect URIs to be
{EXTERNAL_URL}/oidc/callback
. - Turn on the Capability config > Client authentication for the Credentials tab to be available (which will generate and display the client secret).
- In some older versions, configure Access Type to "confidential" instead.
- Configure the Client ID to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Keycloak
- Identity Provider ID:
keycloak
- Domain:
keycloak.acme.com
- Issuer:
https://keycloak.acme.com/auth/realms/master
- Client ID:
bytebase
- Client secret: the client secret of your application
- Email:
email
- Display name:
name
- Name:
Casdoor
- Follow the Casdoor Casdoor documentation (opens in a new tab) to create a new application.
- Configure the Client ID and Client secret to be
bytebase
. - Configure the Valid redirect URIs to be
{EXTERNAL_URL}/oidc/callback
.
- Configure the Client ID and Client secret to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Casdoor
- Identity Provider ID:
casdoor
- Domain:
<your casdoor host>
- Issuer:
<your casdoor host>
- Client ID: the client id of your application
- Client secret: the client secret of your application
- Email:
email
- Display name:
name
- Name:
Authing
- Follow the Authing 创建自建应用 (opens in a new tab) to create a new "标准 Web 应用" as "自建应用".
- In 应用配置, configure the 登录回调 URL to be
{EXTERNAL_URL}/oidc/callback
. - In 协议配置, configure the id_token 签名算法 to be
RS256
.
- In 应用配置, configure the 登录回调 URL to be
- In Bytebase, go to Settings > SSO to create a new OIDC provider (all values are examples):
- Name:
Authing
- Identity Provider ID:
authing
- Domain:
acme.authing.cn
- Issuer:
https://acme.authing.cn/oidc
- Client ID: the app ID of your application
- Client secret: the app secret of your application
- Email:
email
- Display name:
name
- Name: