Home A - Z

An Otter Wiki

Commit a8fb0f

2025-10-03 22:46:49 Hargata Softworks: x
advanced/openid.md ..
@@ 1,62 1,16 @@
# Authenticating via OpenID Connect
- Configure OpenID Connect(OIDC) for LubeLogger via the following environment variables
+ Configure OIDC for LubeLogger using the [[Server Settings Configurator|Installation/Server Settings]]
- ```
- OpenIDConfig__Name=Name of the OpenID Connect Provider
- OpenIDConfig__ClientId=Client Id to Authenticate with the Provider
- OpenIDConfig__ClientSecret=Client Secret to Authenticate with the Provider
- OpenIDConfig__AuthURL=Authorization URL to the Provider's Login Page
- OpenIDConfig__TokenURL=URL to retrieve user JWT from the Provider
- OpenIDConfig__RedirectURL=https://<yourlubeloggerdomain.com>/Login/RemoteAuth(must be HTTPS)
- OpenIDConfig__Scope=Scope to request from Provider(default: openid email)
- OpenIDConfig__ValidateState=true/false(default: false) - whether LubeLogger should validate state.
- OpenIDConfig__UsePKCE=true/false(default: false) - whether LubeLogger should use PKCE
- OpenIDConfig__DisableRegularLogin=true/false(default: false) - auto re-direct user to OIDC login.
- OpenIDConfig__UserInfoURL=UserInfo URL as alternative option to retrieve user claims(required for certain OpenID Providers)
- OpenIDConfig__LogOutURL=Log Out URL for OIDC Provider, required if DisableRegularLogin=true.
- ```
+ The following sample shows how to set up OIDC with Google as the provider with the LubeLogger instance running on `https://localhost:5000`
- If you're using the Windows Standalone executable, add the following section into `appsettings.json`
-
- ```
- "OpenIDConfig": {
- "Name": "",
- "ClientId": "",
- "ClientSecret": "",
- "AuthURL": "",
- "TokenURL": "",
- "RedirectURL": "",
- "Scope": "openid email",
- "ValidateState": true/false,
- "UsePKCE": true/false,
- "DisableRegularLogin": true/false,
- "UserInfoURL": "",
- "LogOutURL": ""
- }
- ```
-
- The following sample shows how to set up OIDC with Google as the provider with the LubeLogger instance running on `https://localhost:5011`
-
- ```
- OpenIDConfig__Name=Google
- OpenIDConfig__ClientId=xxx.apps.googleusercontent.com
- OpenIDConfig__ClientSecret=<your Google API Client Secret>
- OpenIDConfig__AuthURL=https://accounts.google.com/o/oauth2/auth
- OpenIDConfig__TokenURL=https://oauth2.googleapis.com/token
- OpenIDConfig__RedirectURL=https://localhost:5011/Login/RemoteAuth
- OpenIDConfig__Scope=email
- OpenIDConfig__ValidateState=true
- OpenIDConfig__UsePKCE=false
- OpenIDConfig__UserInfoURL=https://openidconnect.googleapis.com/v1/userinfo
- OpenIDConfig__DisableRegularLogin=false
- ```
+ ![](/Advanced/OpenID/a/image-1759531519431.png)
## State Validation
- The ValidateState environment variable determines if LubeLogger should validate the state token echoed back by the OIDC provider. This is set to false by default, if enabled, LubeLogger will fail any login attempts where the state token is not identical to what it sent to the provider. Leave this disabled if you wish to have IdP-initiated SSO.
+ When enabled, LubeLogger will validate the state token echoed back by the OIDC provider and will fail any login attempts where the state token is not identical to what it sent to the provider. Leave this disabled if you wish to have IdP-initiated SSO.
## Proof of KeyCode Exchange(PKCE)
- The UsePKCE environment variable determines if LubeLogger should generate and pass in a SHA-256-hashed challenge code to the OIDC provider.
+ When enabled, LubeLogger will generate and pass in a SHA-256-hashed challenge code to the OIDC provider.
## Testing
Once you have all these environment variables injected correctly, you should see the ability to login via your OIDC provider. Note: Currently LubeLogger only supports one OIDC provider.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9