Configure OIDC Authentication
Oore CI supports OpenID Connect (OIDC) authentication and does not support local passwords.
In Remote mode, OIDC is the default (remote_auth_mode=oidc). For local-first onboarding and operator access, the daemon also supports loopback-only local login (no OIDC). If you run behind an identity-aware proxy, you can opt into remote_auth_mode=trusted_proxy instead of OIDC.
What you need
- An Oore CI instance that is either being set up or already running
- Admin access to an OIDC-compatible identity provider
- The ability to create an OAuth 2.0 / OIDC application in your provider
How OIDC works in Oore CI
During setup, you provide three values:
| Value | Example | Where to get it |
|---|---|---|
| Issuer URL | https://accounts.google.com | Your provider's OIDC documentation |
| Client ID | 123456.apps.googleusercontent.com | Created when you register an OAuth app |
| Client secret | GOCSPX-... | Created with the OAuth app (optional for some providers) |
Oore CI uses the issuer URL to discover endpoints automatically via the OpenID Connect Discovery protocol. It fetches {issuer_url}/.well-known/openid-configuration to find the authorization, token, and JWKS endpoints.
The client secret, if provided, is encrypted with AES-256-GCM before storage.
Required OAuth scopes
Oore CI requests these scopes during authentication:
openid— required by the OIDC specemail— used to identify usersprofile— used for display names and avatars
Redirect URIs to configure
When creating your OAuth application, add these redirect URIs:
| Context | Redirect URI |
|---|---|
| Hosted UI (ci.oore.build) | https://ci.oore.build/auth/callback |
Local launcher (oore-web) | http://127.0.0.1:4173/auth/callback |
| Local dev UI | http://localhost:3000/auth/callback |
| Custom domain | https://your-domain.com/auth/callback |
| CLI loopback | http://localhost:* (dynamic port shown by CLI) |
TIP
Both setup and regular sign-in use the same /auth/callback path. You only need one redirect URI per origin.
Some providers don't support wildcard ports. In that case, the CLI will display the exact http://localhost:<port> URI before opening the browser — add it to your allowed redirect URIs at that point.
TIP
The setup wizard displays the exact redirect URI to configure based on how you access the UI.
Provider guides
Follow the guide for your identity provider:
| Provider | Guide |
|---|---|
| Google Workspace / Cloud Identity | Google OIDC setup |
| Okta | Okta OIDC setup |
| Azure AD / Entra ID | Azure AD OIDC setup |
| Auth0 | Auth0 OIDC setup |
| Keycloak | Keycloak OIDC setup |
Any provider that supports OpenID Connect Discovery will work. If your provider isn't listed above, use the general configuration steps:
- Create an OAuth 2.0 / OIDC application in your provider
- Set the application type to "Web application"
- Add the redirect URIs listed above
- Enable the
openid,email, andprofilescopes - Copy the issuer URL, client ID, and client secret
- Enter them during Oore CI setup (see Set Up Your Instance)
Verify OIDC discovery
You can test that your issuer URL is correct before running setup:
curl https://accounts.google.com/.well-known/openid-configuration | jq .issuerThe response should include an issuer field matching your issuer URL.