OpenID Connect (OIDC)
This guide connects an openID connect compliant identity provider to Infra.
To connect an OIDC identity provider via Infra's CLI, run the following command:
infra providers add <your oidc provider name> \ --url <your_oidc_provider_url_or_domain> \ --client-id <your_oidc_client_id> \ --client-secret <your_oidc_client_secret> \ --kind oidc
This can be any value you desire. It is used as a name in Infra to refer to this identity provider.
The base URL your OIDC identity provider can be reached at to obtain information and perform authentication.
Infra relies on the /.well-known/openid-configuration endpoint to discover the paths needed to use the identity provider.
For example, if your OIDC provider's discovery endpoint is
https://oidc.example.com/.well-known/openid-configuration then your OIDC provider URL would be
In order to authenticate using an OIDC identity provider you must register Infra as a client in that identity provider. By registering Infra as a client it will be granted a client ID and client secret that it can use to authenticate users.
- Infra uses the authorization code flow, typically clients that use this flow are web applications.
- Scopes required:
- Redirect URIs:
http://localhost:8301(for Infra CLI)
https://<INFRA_SERVER_HOST>/login/callback(for Infra Dashboard)
- The OIDC identity provider must support the UserInfo endpoint.
- The UserInfo response must contain either a
- If you wish to use groups, the identity provider must return the user's assigned groups from the UserInfo endpoint.