Connecting an OpenID Connect (OIDC) Identity Provider
To connect an OIDC identity provider, run the following command:
infra providers add <your oidc provider name> \ --url <your oidc provider url (or domain)> \ --client-id <your oidc client id> \ --client-secret <your oidc client secret> \ --kind oidc
Finding required values
OIDC Provider Name
This can be any value you desire. It is used as a name in Infra to refer to this identity provider.
OIDC Provider URL
The base URL your OIDC identity provider can be reached at to obtain information and perform authentication.
Infra relies on the /.well-known/openid-configuration endpoint to discover the paths needed to use the identity provider.
For example, if your OIDC provider's discovery endpoint is
https://oidc.example.com/.well-known/openid-configuration then your OIDC provider URL would be
OIDC Client ID and Secret
In order to authenticate using an OIDC identity provider you must register Infra as a client in that identity provider. By registering Infra as a client it will be granted a client ID and client secret that it can use to authenticate users.
OIDC Client Configuration Requirements
- Infra uses the authorization code flow, typically clients that use this flow are considered web applications.
- Scopes required:
- Redirect URIs:
http://localhost:8301(for Infra CLI)
https://<INFRA_SERVER_HOST>/login/callback(for Infra Dashboard)
- The OIDC identity provider must support the UserInfo endpoint.
- The UserInfo response must contain either a
- If you wish to use groups the identity provider must return the user's assigned groups from the UserInfo endpoint.