# OpenID Connect (OIDC)

Use these instructions to set up an OpenID Connect SSO provider for Tonic Textual.

## SSO setup <a href="#sso-oidc-sso-setup" id="sso-oidc-sso-setup"></a>

When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.

You must also make note of the `client_id`. You must provide the client ID when you complete the configuration for Textual.

### Redirect URI <a href="#sso-oidc-tonic-redirect-uris" id="sso-oidc-tonic-redirect-uris"></a>

In your SSO provider, configure the following redirect URI:

* **Sign-in redirect URI:** `<textual-base-url>/sso/callback/oidc`

## Textual configuration <a href="#sso-oidc-textual-config" id="sso-oidc-textual-config"></a>

### Required environment variables <a href="#sso-oidc-tonic-required-env-variables" id="sso-oidc-tonic-required-env-variables"></a>

After you set up the SSO provider, you uncomment and configure the required [environment variables](/textual/textual-install-administer/configuring-textual/textual-env-var-configure.md) in Textual.

* The application client identifier
* For HTTP basic authentication (`client_secret_basic`), the client secret
* The base URL of the provider.  This is the location of `/.well-known/openid-configuration`
* A regular expression to identify groups that are permitted to use Textual.

For Kubernetes, in **values. yaml**:

```
# OIDC SSO Config
# -----------------
#oidcClientId: <application client ID>
#oidcClientSecret: <client secret for HTTP basic authentication>
#oidcAuthority: <base URL of the provider>
#oidcGroupFilterRegex: <regular expression to identify allowed groups>
```

For Docker, in **.env**:

```
#SOLAR_SSO_OIDC_CLIENT_ID=#<application client ID>
#SOLAR_SSO_OIDC_CLIENT_SECRET=#<client secret for HTTP basic authentication>
#SOLAR_SSO_OIDC_AUTHORITY=#<base URL of the provider>
#SOLAR_SSO_OIDC_GROUP_FILTER_REGEX=#<regular expression to identify allowed groups>
```

### **Optional environment variables** <a href="#sso-oidc-textual-config-optional-env-variables" id="sso-oidc-textual-config-optional-env-variables"></a>

You can optionally uncomment and configure the following optional environment variables:

* A space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Textual to capture group information, a custom scope must be configured.
* The name of the claim that contains the user's first name.
* The name of the claim that contains the user's last name.
* The name of the claim that contains the user's email address or username.
* The name of the claim that contains the user's group membership.

Textual has default values for these settings:

For Kubernetes, in **values.yaml**:

```
#oidcScopes: openid profile email
#oidcFirstNameClaimName: given_name
#oidcLastNameClaimName: family_name
#oidcEmailClaimName: email
#oidcGroupsClaimName: groups
```

For Docker, in **.env**:

```
#SOLAR_SSO_OIDC_SCOPES=#openid profile email
#SOLAR_SSO_OIDC_FIRST_NAME_CLAIM_NAME=#given_name
#SOLAR_SSO_OIDC_LAST_NAME_CLAIM_NAME=#family_name
#SOLAR_SSO_OIDC_EMAIL_CLAIM_NAME=#email
#SOLAR_SSO_OIDC_GROUPS_CLAIM_NAME=#groups
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/textual/textual-install-administer/user-access-textual/textual-sso/oidc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.