OpenID Connect¶
Single Sign-On¶
OpenID Connect (OIDC) extends OAuth 2.0 with Single Sign-On (SSO) functionality, allowing users to log in and optionally register via OIDC instead of manually entering a username and password:
Authentication Flow¶
Config Options¶
Environment | CLI Flag | Default | Description |
---|---|---|---|
PHOTOPRISM_OIDC_URI | --oidc-uri | identity provider URI for single sign-on via OpenID Connect, e.g. "https://accounts.google.com/" |
|
PHOTOPRISM_OIDC_INSECURE | --oidc-insecure | skip identity provider SSL/TLS certificate verification | |
PHOTOPRISM_OIDC_CLIENT | --oidc-client | client ID for single sign-on via OpenID Connect |
|
PHOTOPRISM_OIDC_SECRET | --oidc-secret | client SECRET for single sign-on via OpenID Connect |
|
PHOTOPRISM_OIDC_PROVIDER | --oidc-provider | custom identity provider NAME , e.g. "Google" |
|
PHOTOPRISM_OIDC_ICON | --oidc-icon | custom identity provider icon URI |
|
PHOTOPRISM_OIDC_REGISTER | --oidc-register | allow new users to create an account when they sign in with OpenID Connect | |
PHOTOPRISM_OIDC_REDIRECT | --oidc-redirect | automatically redirect unauthenticated users to the configured identity provider | |
PHOTOPRISM_DISABLE_OIDC | --disable-oidc | disable single sign-on via OpenID Connect, even if an identity provider has been configured |
Note that your PhotoPrism instance and the OpenID Connect Identity Provider must use HTTPS, otherwise single sign-on via OIDC cannot be enabled.
Service Discovery¶
Client Configuration¶
Single Sign-On via OpenID Connect can be configured automatically if Identity Providers offer a standardized /.well-known/openid-configuration
endpoint for service discovery:
- https://accounts.google.com/.well-known/openid-configuration
- https://keycloak.localssl.dev/realms/master/.well-known/openid-configuration
Server Endpoint¶
It is not yet possible to use PhotoPrism as an OIDC Identity Provider, since not all the required standards and grant types have been fully implemented. However, querying the /.well-known/openid-configuration
endpoint shows what is already available, and the remaining functionality can be added over time as needed:
Related Issues¶
Software Libraries¶
- zitadel/oidc by https://zitadel.com/
- indigo-dc/oidc-agent
- coreos/go-oidc
- panva/node-oidc-provider
- pulsejet/nextcloud-oidc-login
Protocol References¶
- https://openid.net/developers/how-connect-works/
- https://dl.photoprism.app/pdf/20220113-Volkmann_OpenID_Connect_Thesis.pdf
- https://oauth.net/openid-for-verifiable-credentials/
- https://developers.google.com/identity/openid-connect/openid-connect
- https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow
- https://developer.okta.com/docs/concepts/oauth-openid/
- https://developer.okta.com/docs/reference/api/oidc/
- https://developer.okta.com/docs/reference/api/oauth-clients/
- https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
- https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#openid-connect-scopes
- https://owncloud.dev/clients/rclone/webdav-sync-oidc/
- https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/
- https://auth0.com/docs/get-started/applications/configure-applications-with-oidc-discovery
- https://connect2id.com/products/server/docs/api/authorization
- https://www.authlete.com/developers/definitive_guide/authorization_endpoint_spec/