OpenID Connect

Single Sign-On

OpenID Connect (OIDC) extends OAuth 2.0 with Single Sign-On (SSO) functionality, allowing users to log in and optionally register via OIDC instead of manually entering a username and password:

Authentication Flow

Learn more ›

Config Options

Environment	CLI Flag	Default	Description
PHOTOPRISM_OIDC_URI	--oidc-uri		identity provider URI for single sign-on via OpenID Connect, e.g. "https://accounts.google.com/"
PHOTOPRISM_OIDC_INSECURE	--oidc-insecure		skip identity provider SSL/TLS certificate verification
PHOTOPRISM_OIDC_CLIENT	--oidc-client		client ID for single sign-on via OpenID Connect
PHOTOPRISM_OIDC_SECRET	--oidc-secret		client SECRET for single sign-on via OpenID Connect
PHOTOPRISM_OIDC_PROVIDER	--oidc-provider		custom identity provider NAME, e.g. "Google"
PHOTOPRISM_OIDC_ICON	--oidc-icon		custom identity provider icon URI
PHOTOPRISM_OIDC_REGISTER	--oidc-register		allow new users to create an account when they sign in with OpenID Connect
PHOTOPRISM_OIDC_REDIRECT	--oidc-redirect		automatically redirect unauthenticated users to the configured identity provider
PHOTOPRISM_DISABLE_OIDC	--disable-oidc		disable single sign-on via OpenID Connect, even if an identity provider has been configured

Note that your PhotoPrism instance and the OpenID Connect Identity Provider must use HTTPS, otherwise single sign-on via OIDC cannot be enabled.

Service Discovery

Client Configuration

Single Sign-On via OpenID Connect can be configured automatically if Identity Providers offer a standardized /.well-known/openid-configuration endpoint for service discovery:

• https://accounts.google.com/.well-known/openid-configuration
• https://keycloak.localssl.dev/realms/master/.well-known/openid-configuration

Server Endpoint

It is not yet possible to use PhotoPrism as an OIDC Identity Provider, since not all the required standards and grant types have been fully implemented. However, querying the /.well-known/openid-configuration endpoint shows what is already available, and the remaining functionality can be added over time as needed:

• https://demo.photoprism.app/.well-known/openid-configuration

Related Issues

• Account: Add Support for OpenID Connect (OIDC) #782

Software Libraries

• zitadel/oidc by https://zitadel.com/
• indigo-dc/oidc-agent
• coreos/go-oidc
• panva/node-oidc-provider
• pulsejet/nextcloud-oidc-login

Protocol References

• https://openid.net/developers/how-connect-works/
• https://dl.photoprism.app/pdf/20220113-Volkmann_OpenID_Connect_Thesis.pdf
• https://oauth.net/openid-for-verifiable-credentials/
• https://developers.google.com/identity/openid-connect/openid-connect
• https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow
• https://developer.okta.com/docs/concepts/oauth-openid/
• https://developer.okta.com/docs/reference/api/oidc/
• https://developer.okta.com/docs/reference/api/oauth-clients/
• https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
• https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#openid-connect-scopes
• https://owncloud.dev/clients/rclone/webdav-sync-oidc/
• https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/
• https://auth0.com/docs/get-started/applications/configure-applications-with-oidc-discovery
• https://connect2id.com/products/server/docs/api/authorization
• https://www.authlete.com/developers/definitive_guide/authorization_endpoint_spec/