Available in v3.4.0 and later.

Accounts using the same email are linked together. This assumes that you are using a trusted identity provider that uses verified email addresses.

OpenID Connect (OIDC)

If your identity provider supports OAuth 2.0 based authentication with OpenID Connect (OIDC), you can use it to authenticate users on your Rallly instance.

Required Scopes

Your OAuth 2.0 application needs to be configured with the following scopes:

  • openid: Essential for OIDC to function, used to perform authentication.
  • profile: Access to the user’s personal information such as name and picture.
  • email: Access to the user’s email address.

Callback URL / Redirect URI

Your identity provider should redirect the user back to the following URL:

{BASE_URL}/api/auth/callback/oidc

Replace {BASE_URL} with the base URL of your Rallly instance and add it to the list of allowed redirect URIs.

Configuration

The following configuration options are available for OIDC. All required fields must be set for OIDC to be enabled.

OIDC_NAME
default: "OpenID Connect"

The display name of your provider as it will be shown on the login page

OIDC_DISCOVERY_URL
required

URL of the .well-known/openid-configuration endpoint for your OIDC provider

OIDC_CLIENT_ID
required

The client ID of your OIDC application

OIDC_CLIENT_SECRET
required

The client secret of your OIDC application

OIDC_NAME_CLAIM_PATH
default: "name"

The path to the claim that contains the user’s name

OIDC_EMAIL_CLAIM_PATH
default: "email"

The path to the claim that contains the user’s email address

OIDC_PICTURE_CLAIM_PATH
default: "picture"

The path to the claim that contains the user’s profile picture

Use dot notation in _CLAIM_PATH fields to access nested objects.