SSO/OIDC Configuration
Mydia supports OpenID Connect (OIDC) for single sign-on integration.
Supported Providers
Mydia works with any OIDC-compliant provider:
- Keycloak
- Authelia
- Auth0
- Okta
- Azure AD
- And more...
Configuration
Environment Variables
OIDC_ENABLED=true
OIDC_DISCOVERY_DOCUMENT_URI=https://your-provider/.well-known/openid-configuration
OIDC_CLIENT_ID=mydia
OIDC_CLIENT_SECRET=your-client-secret
OIDC_REDIRECT_URI=http://localhost:4000/auth/oidc/callback
OIDC_SCOPES=openid profile email
Variable Reference
| Variable | Description | Required |
|---|---|---|
OIDC_ENABLED |
Enable OIDC authentication | Yes |
OIDC_DISCOVERY_DOCUMENT_URI |
Provider's discovery endpoint | Yes |
OIDC_CLIENT_ID |
Application client ID | Yes |
OIDC_CLIENT_SECRET |
Application client secret | Yes |
OIDC_REDIRECT_URI |
Callback URL (auto-computed if not set) | No |
OIDC_SCOPES |
Space-separated scope list | No |
Provider Setup
Minimal Configuration
Mydia uses standard OAuth2 authentication. Configure your provider with:
- Client ID - Unique identifier for Mydia
- Client Secret - Secret key for authentication
- Redirect URI -
https://your-mydia-host/auth/oidc/callback
No need to configure:
- Token endpoint auth methods
- Response modes
- JWT-based authentication
- PAR settings
Keycloak Example
- Create a new client in your realm
- Set client protocol to
openid-connect - Set access type to
confidential - Add redirect URI:
https://mydia.example.com/auth/oidc/callback - Copy client ID and secret
OIDC_DISCOVERY_DOCUMENT_URI=https://keycloak.example.com/realms/myrealm/.well-known/openid-configuration
OIDC_CLIENT_ID=mydia
OIDC_CLIENT_SECRET=your-client-secret
Authelia Example
- Add client configuration to Authelia:
identity_providers:
oidc:
clients:
- client_id: mydia
client_secret: your-client-secret
redirect_uris:
- https://mydia.example.com/auth/oidc/callback
scopes:
- openid
- profile
- email
- Configure Mydia:
OIDC_DISCOVERY_DOCUMENT_URI=https://authelia.example.com/.well-known/openid-configuration
OIDC_CLIENT_ID=mydia
OIDC_CLIENT_SECRET=your-client-secret
Auth0 Example
- Create a new Regular Web Application
- Configure allowed callback URLs
- Copy domain, client ID, and secret
OIDC_DISCOVERY_DOCUMENT_URI=https://your-tenant.auth0.com/.well-known/openid-configuration
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
Google Example
- Create OAuth 2.0 credentials in Google Cloud Console
- Add authorized redirect URIs
- Copy client ID and secret
OIDC_DISCOVERY_DOCUMENT_URI=https://accounts.google.com/.well-known/openid-configuration
OIDC_CLIENT_ID=your-client-id.apps.googleusercontent.com
OIDC_CLIENT_SECRET=your-client-secret
User Management
First User Promotion
The first user to log in via OIDC is automatically promoted to admin role. Subsequent users are assigned guest role.
Role Assignment
Currently, role assignment is manual after first login:
- Admin logs in
- Navigates to Admin > Users
- Updates user role as needed
Combining with Local Auth
You can use both local and OIDC authentication:
Users see options for both on the login page.
Disabling Local Auth
For OIDC-only authentication:
Warning
Ensure OIDC is working before disabling local auth to avoid lockout.
Scopes
Default scopes:
Required scopes:
openid- Required for OIDCprofile- User profile informationemail- User email address
Redirect URI
The redirect URI is auto-computed from your PHX_HOST and URL_SCHEME:
Override with:
Troubleshooting
Login Fails
- Check discovery document URI is accessible
- Verify client ID and secret
- Check redirect URI matches provider configuration
- Review application logs for errors
User Not Created
- Ensure required scopes are granted
- Check provider returns email claim
- Review application logs
Session Issues
- Check cookie settings
- Verify HTTPS configuration
- Check
PHX_HOSTmatches your domain
Testing
For detailed testing instructions, see the OIDC Testing Guide.