OIDC Authentication


Create Loft Config For OIDC

Loft is able to use an OIDC provider as an authentication source.

To tell Loft to use OIDC for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

# Tell loft to allow OIDC for authentication
# IssuerURL is the URL the provider signs ID Tokens as.
issuerUrl: https://accounts.google.com
# ClientID the JWT must be issued for, the "sub" field. Can be string literal or pulled from the environment.
clientId: $CLIENTID
# ClientSecret to issue tokens from the OIDC provider. Can be string literal or pulled from the environment.
clientSecret: $CLIENTSECRET
# Callback URL in the form of https://your-loft-domain/auth/oidc/callback
redirectURI: https://loft.my.domain/auth/oidc/callback
# (Optional) Path to a PEM encoded root certificate of the provider.
caFile: /tmp/ca-file.crt
# (Optional) Specify whether to communicate without validating SSL certificates
insecureCa: false
# (Optional) UsernameClaim is the JWT field to use as the user's username.
# If not set defaults to email.
usernameClaim: email
# (Optional) If specified, causes claims mapping to username to be prefix with
# the provided value.
usernamePrefix: my-prefix-
# (Optional) If specified, causes the OIDCAuthenticator to try to populate the user's
# groups with an ID Token field.
groupsClaim: groups
# (Optional) If specified, causes claims mapping to group names to be prefixed with the
# value.
groupsPrefix: group-prefix-
# (Optional) If groups is non empty, access is denied if the user is not part of at least one
# of the specified groups. This requires groupsClaim to be set!
groups: ["my-oidc-group"]
# (Optional) If specified, tells the OIDCAuthenticator to try to populate the user's
# information from the UserInfo. This might be necessary for slim tokens such as used
# by Okta
getUserInfo: false
# (Optional) Cluster Account Templates that will be automatically added for new users
# logging in through this authentication
# The name of the cluster account template
- name: my-cluster-account-template
sync: true
# (Optional) A mapping between groups and cluster account templates.
# If the user has a certain group, the cluster account template
# will be added during creation
# Name of the group from the token
- group: my-group
# Names of the cluster account templates to apply
- name: my-cluster-account-template
sync: true

Authenticate via OIDC

After saving the new Loft configuration, Loft will restart itself and you should be able to log in via your OIDC provider.


Disable Username + Password Authentication (optional)

To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

oidc: ... # This is your SSO configuration (make sure this is working!)
disabled: true # Disable password-based authentication