OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. Bytebase supports using OIDC for configuring Single Sign-On (SSO).
Please make sure the --external-url
is configured correctly for the Bytebase instance.
If your start Bytebase with --external-url http://bytebase.example.com
, then your application redirect URL should be http://bytebase.example.com/oidc/callback
.
If you’re unsure about the Issuer of your IdP, you can always use the OpenID Connect Discovery endpoint to find the correct value, e.g. https://acme.okta.com/.well-known/openid-configuration
.
Basic information:
Google
will be shown as Sign in with Google
)google
)google.com
, optional)Identity provider information:
https://accounts.google.com
)openid
, profile
, email
). Some providers also support a groups claim, which can be included by adding the groups
scope. This is useful if you want to enable group syncing as part of the authentication process.User information field mapping:
email
)name
, optional)phone
, optional)groups
, optional). If this field is set, Bytebase will automatically perform group syncing by default.{EXTERNAL_URL}/oidc/callback
.Google
google
google.com
https://accounts.google.com
email
name
openid
, profile
and email
.{EXTERNAL_URL}/oidc/callback
.GitLab
gitlab
gitlab.acme.com
https://gitlab.acme.com
email
name
In some GitLab self-hosted setups, the Issuer is http://gitlab.acme.com
(HTTP) instead of https://gitlab.acme.com
(HTTPS) despite the latter being the URL used to access the instance.
{EXTERNAL_URL}/oidc/callback
.Okta
okta
acme.okta.com
https://acme.okta.com
email
name
bytebase
.{EXTERNAL_URL}/oidc/callback
.Keycloak
keycloak
keycloak.acme.com
https://keycloak.acme.com/auth/realms/master
bytebase
email
name
bytebase
.{EXTERNAL_URL}/oidc/callback
.Casdoor
casdoor
<your casdoor host>
<your casdoor host>
email
name
{EXTERNAL_URL}/oidc/callback
.RS256
.Authing
authing
acme.authing.cn
https://acme.authing.cn/oidc
email
name
Bytebase supports syncing identity provider (IdP) groups with Bytebase user groups for providers that include a groups
claim in their tokens.
Group syncing is based on a one-to-one match using the group title. When a user logs in, Bytebase compares the group names from the IdP with existing Bytebase user group titles. If a match is found, the user is automatically added as a Member to the corresponding Bytebase user group.
To ensure security and consistency, Bytebase also automatically removes the user from any Bytebase groups that are not present in their IdP group claims.
Group syncing occurs during login, so if group membership changes in your IdP, users must log out and log back in for the changes to take effect.
Some OIDC providers like Okta support the groups
claim, but you’ll need to first customize the tokens returned from Okta to include the groups
claim. For more information, refer to the Okta documentation.
If you click the login button and there is no response. It could be you are hitting the CORS error. You can verify this by inspecting the browser network. Please ask your network admin to whitelist Bytebase host. Alternatively, you can configure OAuth.
OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. Bytebase supports using OIDC for configuring Single Sign-On (SSO).
Please make sure the --external-url
is configured correctly for the Bytebase instance.
If your start Bytebase with --external-url http://bytebase.example.com
, then your application redirect URL should be http://bytebase.example.com/oidc/callback
.
If you’re unsure about the Issuer of your IdP, you can always use the OpenID Connect Discovery endpoint to find the correct value, e.g. https://acme.okta.com/.well-known/openid-configuration
.
Basic information:
Google
will be shown as Sign in with Google
)google
)google.com
, optional)Identity provider information:
https://accounts.google.com
)openid
, profile
, email
). Some providers also support a groups claim, which can be included by adding the groups
scope. This is useful if you want to enable group syncing as part of the authentication process.User information field mapping:
email
)name
, optional)phone
, optional)groups
, optional). If this field is set, Bytebase will automatically perform group syncing by default.{EXTERNAL_URL}/oidc/callback
.Google
google
google.com
https://accounts.google.com
email
name
openid
, profile
and email
.{EXTERNAL_URL}/oidc/callback
.GitLab
gitlab
gitlab.acme.com
https://gitlab.acme.com
email
name
In some GitLab self-hosted setups, the Issuer is http://gitlab.acme.com
(HTTP) instead of https://gitlab.acme.com
(HTTPS) despite the latter being the URL used to access the instance.
{EXTERNAL_URL}/oidc/callback
.Okta
okta
acme.okta.com
https://acme.okta.com
email
name
bytebase
.{EXTERNAL_URL}/oidc/callback
.Keycloak
keycloak
keycloak.acme.com
https://keycloak.acme.com/auth/realms/master
bytebase
email
name
bytebase
.{EXTERNAL_URL}/oidc/callback
.Casdoor
casdoor
<your casdoor host>
<your casdoor host>
email
name
{EXTERNAL_URL}/oidc/callback
.RS256
.Authing
authing
acme.authing.cn
https://acme.authing.cn/oidc
email
name
Bytebase supports syncing identity provider (IdP) groups with Bytebase user groups for providers that include a groups
claim in their tokens.
Group syncing is based on a one-to-one match using the group title. When a user logs in, Bytebase compares the group names from the IdP with existing Bytebase user group titles. If a match is found, the user is automatically added as a Member to the corresponding Bytebase user group.
To ensure security and consistency, Bytebase also automatically removes the user from any Bytebase groups that are not present in their IdP group claims.
Group syncing occurs during login, so if group membership changes in your IdP, users must log out and log back in for the changes to take effect.
Some OIDC providers like Okta support the groups
claim, but you’ll need to first customize the tokens returned from Okta to include the groups
claim. For more information, refer to the Okta documentation.
If you click the login button and there is no response. It could be you are hitting the CORS error. You can verify this by inspecting the browser network. Please ask your network admin to whitelist Bytebase host. Alternatively, you can configure OAuth.