Skip to content
Oriel

Auth And OIDC

Prerequisites

Section titled “Prerequisites”
  • First admin bootstrapped with oriel admin bootstrap
  • Stable auth.cookie_secret for OIDC deployments
  • OIDC provider issuer, client ID, and client secret when external login is used

Steps

Section titled “Steps”

Local accounts are stored in PostgreSQL and use the oriel_session cookie.

Configure OIDC providers under auth.oidc.<slug>:

[auth]
cookie_secret = "replace-with-a-stable-secret"


[auth.oidc.company]
name = "Company SSO"
icon = "generic"
issuer = "https://id.example.com"
client_id = "oriel"
client_secret = "replace-me"
scopes = ["openid", "profile", "email"]
groups_claim = "groups"

Keep provider secrets out of TOML with:

Terminal window
ORIEL_AUTH_OIDC_COMPANY_CLIENT_SECRET='secret'

The provider slug appears in:

/api/v1/auth/oidc/company/start
/api/v1/auth/oidc/company/callback

If redirect_url is empty, Oriel derives it from server.public_url.

Verify

Section titled “Verify”

Open:

/api/v1/meta

The metadata response includes OIDC provider start URLs when providers are enabled.

Check service logs for OIDC discovery warnings during startup.

Rollback/Recover

Section titled “Rollback/Recover”
  • If login breaks after restart, set a stable auth.cookie_secret.
  • If multi-node login breaks, share the same auth.cookie_secret across query nodes.
  • If startup rejects OIDC config, check provider slug, icon, and redirect URL.
  • Oriel does not auto-link OIDC accounts to existing local accounts in this version.