# OpenID Connect (OIDC)

Use these instructions to set up an OpenID Connect SSO provider for Tonic Textual.

## SSO setup <a href="#sso-oidc-sso-setup" id="sso-oidc-sso-setup"></a>

When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.

You must also make note of the `client_id`. You must provide the client ID when you complete the configuration for Textual.

### Redirect URI <a href="#sso-oidc-tonic-redirect-uris" id="sso-oidc-tonic-redirect-uris"></a>

In your SSO provider, configure the following redirect URI:

* **Sign-in redirect URI:** `<textual-base-url>/sso/callback/oidc`

## Textual configuration <a href="#sso-oidc-textual-config" id="sso-oidc-textual-config"></a>

### Required environment variables <a href="#sso-oidc-tonic-required-env-variables" id="sso-oidc-tonic-required-env-variables"></a>

After you set up the SSO provider, you uncomment and configure the required [environment variables](https://docs.tonic.ai/textual/textual-install-administer/configuring-textual/textual-env-var-configure) in Textual.

* The application client identifier
* For HTTP basic authentication (`client_secret_basic`), the client secret
* The base URL of the provider.  This is the location of `/.well-known/openid-configuration`
* A regular expression to identify groups that are permitted to use Textual.

For Kubernetes, in **values. yaml**:

```
# OIDC SSO Config
# -----------------
#oidcClientId: <application client ID>
#oidcClientSecret: <client secret for HTTP basic authentication>
#oidcAuthority: <base URL of the provider>
#oidcGroupFilterRegex: <regular expression to identify allowed groups>
```

For Docker, in **.env**:

```
#SOLAR_SSO_OIDC_CLIENT_ID=#<application client ID>
#SOLAR_SSO_OIDC_CLIENT_SECRET=#<client secret for HTTP basic authentication>
#SOLAR_SSO_OIDC_AUTHORITY=#<base URL of the provider>
#SOLAR_SSO_OIDC_GROUP_FILTER_REGEX=#<regular expression to identify allowed groups>
```

### **Optional environment variables** <a href="#sso-oidc-textual-config-optional-env-variables" id="sso-oidc-textual-config-optional-env-variables"></a>

You can optionally uncomment and configure the following optional environment variables:

* A space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Textual to capture group information, a custom scope must be configured.
* The name of the claim that contains the user's first name.
* The name of the claim that contains the user's last name.
* The name of the claim that contains the user's email address or username.
* The name of the claim that contains the user's group membership.

Textual has default values for these settings:

For Kubernetes, in **values.yaml**:

```
#oidcScopes: openid profile email
#oidcFirstNameClaimName: given_name
#oidcLastNameClaimName: family_name
#oidcEmailClaimName: email
#oidcGroupsClaimName: groups
```

For Docker, in **.env**:

```
#SOLAR_SSO_OIDC_SCOPES=#openid profile email
#SOLAR_SSO_OIDC_FIRST_NAME_CLAIM_NAME=#given_name
#SOLAR_SSO_OIDC_LAST_NAME_CLAIM_NAME=#family_name
#SOLAR_SSO_OIDC_EMAIL_CLAIM_NAME=#email
#SOLAR_SSO_OIDC_GROUPS_CLAIM_NAME=#groups
```