--external-url
is configured correctly for the Bytebase instance.
If your start Bytebase with --external-url http://bytebase.example.com
, then your application redirect URL should be http://bytebase.example.com/oidc/callback
.
https://acme.okta.com/.well-known/openid-configuration
.
Google
will be shown as Sign in with Google
)google
)google.com
, optional)https://accounts.google.com
)openid
, profile
, email
). Some providers also support a groups claim, which can be included by adding the groups
scope. This is useful if you want to enable group syncing as part of the authentication process.email
)name
, optional)phone
, optional)groups
, optional). If this field is set, Bytebase will automatically perform group syncing by default.{EXTERNAL_URL}/oidc/callback
.Google
google
google.com
https://accounts.google.com
email
name
openid
, profile
and email
.{EXTERNAL_URL}/oidc/callback
.GitLab
gitlab
gitlab.acme.com
https://gitlab.acme.com
email
name
http://gitlab.acme.com
(HTTP) instead of https://gitlab.acme.com
(HTTPS) despite the latter being the URL used to access the instance.{EXTERNAL_URL}/oidc/callback
.Okta
okta
acme.okta.com
https://acme.okta.com
email
name
bytebase
.{EXTERNAL_URL}/oidc/callback
.Keycloak
keycloak
keycloak.acme.com
https://keycloak.acme.com/auth/realms/master
bytebase
email
name
bytebase
.{EXTERNAL_URL}/oidc/callback
.Casdoor
casdoor
<your casdoor host>
<your casdoor host>
email
name
{EXTERNAL_URL}/oidc/callback
.RS256
.Authing
authing
acme.authing.cn
https://acme.authing.cn/oidc
email
name
groups
claim in their tokens.
Group syncing is based on a one-to-one match using the group title. When a user logs in, Bytebase compares the group names from the IdP with existing Bytebase user group titles. If a match is found, the user is automatically added as a Member to the corresponding Bytebase user group.
To ensure security and consistency, Bytebase also automatically removes the user from any Bytebase groups that are not present in their IdP group claims.
Group syncing occurs during login, so if group membership changes in your IdP, users must log out and log back in for the changes to take effect.
Some OIDC providers like Okta support the groups
claim, but you’ll need to first customize the tokens returned from Okta to include the groups
claim. For more information, refer to the Okta documentation.