Skip to main content
Version: 3.4

OpenID Connect

  1. Create Loft Config For OIDC

    Loft is able to use an OIDC provider as an authentication source.

    To tell Loft to use OIDC for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

    auth:
     # Tell loft to allow OIDC for authentication
      oidc:
        # 
        # 
        # REQUIRED CONFIGURATION
        #
        #
        # IssuerURL is the URL the provider signs ID Tokens as.
        issuerUrl: https://accounts.google.com 
        # ClientID the JWT must be issued for, the "sub" field. Can be string literal or pulled from the environment.
        clientId: $CLIENTID
        # ClientSecret to issue tokens from the OIDC provider. Can be string literal or pulled from the environment.
        clientSecret: $CLIENTSECRET
        # Callback URL in the form of https://your-loft-domain/auth/oidc/callback
        redirectURI: https://loft.my.domain/auth/oidc/callback
        # 
        # 
        # OPTIONAL CONFIGURATION
        #
        #
        # (Optional) Path to a PEM encoded root certificate of the provider. 
        caFile: /tmp/ca-file.crt
        # (Optional) Specify whether to communicate without validating SSL certificates
        insecureCa: false
        # (Optional) UsernameClaim is the JWT field to use as the user's username. 
        # If not set defaults to email.
        usernameClaim: email
        # (Optional) If specified, causes claims mapping to username to be prefix with
        # the provided value.  
        usernamePrefix: my-prefix-
        # (Optional) If specified, causes the OIDCAuthenticator to try to populate the user's
        # groups with an ID Token field.
        groupsClaim: groups
        # (Optional) If specified, causes claims mapping to group names to be prefixed with the
        # value.
        groupsPrefix: group-prefix-
        # (Optional) If groups is non empty, access is denied if the user is not part of at least one 
        # of the specified groups. This requires groupsClaim to be set!
        groups: ["my-oidc-group"]
        # (Optional) If specified, tells the OIDCAuthenticator to try to populate the user's
        # information from the UserInfo. This might be necessary for slim tokens such as used
        # by Okta
        getUserInfo: false
        # (Optional) Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
        scopes: ["profile", "email"]
        # (Optional) EmailClaim is the JWT field to use as the user's email.
        emailClaim: "email"
        # (Optional) LoftUsernameClaim is the JWT field to use as the user's ID (Kubernetes name) and username
        loftUsernameClaim: "name"
        # (Optional) PreferredUsername is the JWT field to use as the user's display name
        preferredUsername: "preferred_username"

  2. Authenticate via OIDC

    After saving the new Loft configuration, Loft will restart itself and you should be able to log in via your OIDC provider.

  3. Disable Username + Password Authentication (optional)

    To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication