OIDC Configuration

Configure OpenID Connect (OIDC) single sign-on to let users authenticate via your organization's identity provider (Okta, Azure AD, Google Workspace, Keycloak, etc.). When enabled, mipo acts as an OIDC relying party and redirects users to the IdP for login. Local authentication remains available as a fallback.

Inputs

Name Description Allowed Values Default
Enable OIDC Authentication Toggle OIDC login on or off Checkbox (true/false) Disabled
Issuer URL The OIDC discovery endpoint of your IdP Valid HTTPS URL (e.g., https://your-domain.okta.com)
Client ID Application identifier registered with the IdP Non-empty string from your IdP
Client Secret Application secret registered with the IdP Non-empty string; leave blank to keep existing
Scopes Space-separated OIDC scopes requested during login Space-separated scope names openid profile email

Fields & Columns

Name Description
Status Whether OIDC authentication is currently enabled or disabled

How To

Set up OIDC single sign-on

  1. Register mipo as an application in your identity provider and note the Client ID and Client Secret.
  2. Set the redirect URI in your IdP to match your mipo instance callback URL.
  3. Enter the Issuer URL, Client ID, and Client Secret on this page.
  4. Adjust scopes if your IdP requires non-standard ones.
  5. Check "Enable OIDC Authentication" and click Save Configuration.
  6. Test by logging out and signing in via the OIDC option on the login page.

Gotchas

  1. The redirect URI configured in your IdP must exactly match mipo's callback URL or login will fail with a redirect_uri_mismatch error.
  2. Leaving the Client Secret blank on save preserves the existing secret — it does not clear it.
  3. Disabling OIDC does not remove existing OIDC-provisioned users; they simply cannot log in via SSO until re-enabled.

API Calls (2)

Method Path Description
GET /api/admin/identity/oidc Retrieve current OIDC configuration
PUT /api/admin/identity/oidc Update OIDC configuration

Related Pages

  • Users — OIDC-provisioned users appear in the users list
  • Roles — Auto-provisioned OIDC users receive a default role
  • Settings — Public URL setting determines the OIDC callback URL