signalk-server
Version:
An implementation of a [Signal K](http://signalk.org) server for boats.
403 lines (385 loc) • 46.8 kB
HTML
<html class="default" lang="en" data-base="../"><head><meta charset="utf-8"/><meta http-equiv="x-ua-compatible" content="IE=edge"/><title>OIDC Authentication | Signal K</title><meta name="description" content="Documentation for Signal K"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="stylesheet" href="../assets/style.css?cache=1783009712609"/><link rel="stylesheet" href="../assets/highlight.css?cache=1783009712609"/><script defer src="../assets/main.js?cache=1783009712609"></script><script async src="../assets/icons.js?cache=1783009712609" id="tsd-icons-script"></script><script async src="../assets/search.js?cache=1783009712609" id="tsd-search-script"></script><script async src="../assets/navigation.js?cache=1783009712609" id="tsd-nav-script"></script><script async src="../assets/hierarchy.js?cache=1783009712609" id="tsd-hierarchy-script"></script><link rel="stylesheet" href="../assets/theme.css"/><script>if(window.self!==window.top){document.documentElement.classList.add('embedded')}</script></head><body><script>document.documentElement.dataset.theme = localStorage.getItem("tsd-theme") || "os";document.body.style.display="none";setTimeout(() => window.app?app.showPage():document.body.style.removeProperty("display"),500)</script><header class="tsd-page-toolbar"><div class="tsd-toolbar-contents container"><a href="../index.html" class="title"><img class="title-logo" src="../assets/logo.svg" alt="Signal K"/><svg class="title-home-icon" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-label="Documentation home"><path d="M3 9l9-7 9 7v11a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z"></path><polyline points="9 22 9 12 15 12 15 22"></polyline></svg></a><button id="tsd-search-trigger" class="tsd-widget" aria-label="Search"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" aria-hidden="true"><use href="../assets/icons.svg#icon-search"></use></svg><span class="visible@s">Search</span></button><dialog id="tsd-search" aria-label="Search"><input role="combobox" id="tsd-search-input" aria-controls="tsd-search-results" aria-autocomplete="list" aria-expanded="true" autocapitalize="off" autocomplete="off" placeholder="Search the docs" maxLength="100"/><ul role="listbox" id="tsd-search-results"></ul><div id="tsd-search-status" aria-live="polite" aria-atomic="true"><div>Preparing search index...</div></div></dialog><div id="tsd-toolbar-links"><a href="https://discord.gg/uuZrwz4dCS" target="_blank" rel="noopener" class="toolbar-icon visible@s" aria-label="Discord"><svg width="24" height="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 640 512"><path d="M524.5 69.8a1.5 1.5 0 0 0 -.8-.7A485.1 485.1 0 0 0 404.1 32a1.8 1.8 0 0 0 -1.9 .9 337.5 337.5 0 0 0 -14.9 30.6 447.8 447.8 0 0 0 -134.4 0 309.5 309.5 0 0 0 -15.1-30.6 1.9 1.9 0 0 0 -1.9-.9A483.7 483.7 0 0 0 116.1 69.1a1.7 1.7 0 0 0 -.8 .7C39.1 183.7 18.2 294.7 28.4 404.4a2 2 0 0 0 .8 1.4A487.7 487.7 0 0 0 176 479.9a1.9 1.9 0 0 0 2.1-.7A348.2 348.2 0 0 0 208.1 430.4a1.9 1.9 0 0 0 -1-2.6 321.2 321.2 0 0 1 -45.9-21.9 1.9 1.9 0 0 1 -.2-3.1c3.1-2.3 6.2-4.7 9.1-7.1a1.8 1.8 0 0 1 1.9-.3c96.2 43.9 200.4 43.9 295.5 0a1.8 1.8 0 0 1 1.9 .2c2.9 2.4 6 4.9 9.1 7.2a1.9 1.9 0 0 1 -.2 3.1 301.4 301.4 0 0 1 -45.9 21.8 1.9 1.9 0 0 0 -1 2.6 391.1 391.1 0 0 0 30 48.8 1.9 1.9 0 0 0 2.1 .7A486 486 0 0 0 610.7 405.7a1.9 1.9 0 0 0 .8-1.4C623.7 277.6 590.9 167.5 524.5 69.8zM222.5 337.6c-29 0-52.8-26.6-52.8-59.2S193.1 219.1 222.5 219.1c29.7 0 53.3 26.8 52.8 59.2C275.3 311 251.9 337.6 222.5 337.6zm195.4 0c-29 0-52.8-26.6-52.8-59.2S388.4 219.1 417.9 219.1c29.7 0 53.3 26.8 52.8 59.2C470.7 311 447.5 337.6 417.9 337.6z"></path></svg></a><a href="https://github.com/SignalK/signalk-server" target="_blank" rel="noopener" class="toolbar-icon visible@s" aria-label="Discord"><svg width="24" height="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3 .3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5 .3-6.2 2.3zm44.2-1.7c-2.9 .7-4.9 2.6-4.6 4.9 .3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3 .7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3 .3 2.9 2.3 3.9 1.6 1 3.6 .7 4.3-.7 .7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3 .7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3 .7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"></path></svg></a><a href="#" class="tsd-widget menu" id="tsd-toolbar-menu-trigger" data-toggle="menu" aria-label="Menu"><svg width="16" height="16" viewBox="0 0 16 16" fill="none" aria-hidden="true"><use href="../assets/icons.svg#icon-menu"></use></svg></a></div></div></header><div class="container container-main"><div class="col-content"><div class="tsd-page-title"><ul class="tsd-breadcrumb" aria-label="Breadcrumb"><li><a href="../Security.html">Security</a></li><li><a href="" aria-current="page">OIDC Authentication</a></li></ul></div><div class="tsd-panel tsd-typography"><h1 id="openid-connect-oidc-authentication" class="tsd-anchor-link">OpenID Connect (OIDC) Authentication<a href="#openid-connect-oidc-authentication" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h1>
<p>Signal K Server supports OpenID Connect (OIDC) authentication. This enables Single Sign-On (SSO) with identity providers (IdPs) running on your local network (<a href="https://www.keycloak.org/">Keycloak</a>, <a href="https://goauthentik.io/">Authentik</a>, <a href="https://www.authelia.com/">Authelia</a>) or cloud services (Auth0, Okta, and others).</p>
<h2 id="overview" class="tsd-anchor-link">Overview<a href="#overview" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<p>OIDC authentication provides:</p>
<ul>
<li><strong>Single Sign-On (SSO)</strong>: Users <strong>authenticate once</strong> with the identity provider and the login information can be shared with <strong>multiple applications</strong>, such as Grafana.</li>
<li><strong>Modern authentication methods</strong>: The IdP may support modern authentication methods such as <a href="https://safety.google/safety/authentication/passkey/">Passkey</a> and Multi-factor authentication without implementing everything within Signal K</li>
<li><strong>Centralized User Management</strong>: Manage users in your identity provider, not in Signal K</li>
<li><strong>Group-Based Permissions</strong>: Map identity provider groups to Signal K permission levels</li>
<li><strong>Auto-Provisioning</strong>: Automatically create Signal K users on first OIDC login</li>
</ul>
<p>OIDC works alongside local authentication. You can have both local users and OIDC users simultaneously.</p>
<h2 id="quick-start" class="tsd-anchor-link">Quick Start<a href="#quick-start" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<h3 id="1-register-signal-k-as-an-oidc-client" class="tsd-anchor-link">1. Register Signal K as an OIDC Client<a href="#1-register-signal-k-as-an-oidc-client" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>In your identity provider, create a new OIDC/OAuth2 client application:</p>
<ul>
<li><strong>Client ID</strong>: Choose a name like <code>signalk-server</code></li>
<li><strong>Client Type</strong>: Confidential (requires client secret)</li>
<li><strong>Grant Type</strong>: Authorization Code</li>
<li><strong>Redirect URI</strong>: <code>https://your-signalk-server:3000/signalk/v1/auth/oidc/callback</code></li>
</ul>
<p>Note the <strong>Client ID</strong> and <strong>Client Secret</strong> for the next step.</p>
<h3 id="2-configure-signal-k" class="tsd-anchor-link">2. Configure Signal K<a href="#2-configure-signal-k" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>OIDC can be configured via environment variables or the Admin UI.</p>
<h4 id="using-environment-variables" class="tsd-anchor-link">Using Environment Variables<a href="#using-environment-variables" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h4>
<pre><code class="bash"><span class="hl-1">export</span><span class="hl-0"> SIGNALK_OIDC_ENABLED</span><span class="hl-1">=</span><span class="hl-0">true</span><br/><span class="hl-1">export</span><span class="hl-0"> SIGNALK_OIDC_ISSUER</span><span class="hl-1">=</span><span class="hl-0">https://auth.example.com</span><br/><span class="hl-1">export</span><span class="hl-0"> SIGNALK_OIDC_CLIENT_ID</span><span class="hl-1">=</span><span class="hl-0">signalk-server</span><br/><span class="hl-1">export</span><span class="hl-0"> SIGNALK_OIDC_CLIENT_SECRET</span><span class="hl-1">=</span><span class="hl-0">your-client-secret</span>
</code><button type="button">Copy</button></pre>
<h4 id="using-the-admin-ui" class="tsd-anchor-link">Using the Admin UI<a href="#using-the-admin-ui" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h4>
<ol>
<li>Navigate to <strong>Security > OIDC Configuration</strong></li>
<li>Enable OIDC</li>
<li>Enter your provider's Issuer URL</li>
<li>Enter the Client ID and Client Secret</li>
<li>Click <strong>Save</strong></li>
</ol>
<h3 id="3-test-the-configuration" class="tsd-anchor-link">3. Test the Configuration<a href="#3-test-the-configuration" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<ol>
<li>Log out of Signal K</li>
<li>On the login page, click the SSO login button</li>
<li>You should be redirected to your identity provider</li>
<li>After authenticating, you'll be redirected back to Signal K</li>
</ol>
<h2 id="configuration-reference" class="tsd-anchor-link">Configuration Reference<a href="#configuration-reference" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<h3 id="environment-variables" class="tsd-anchor-link">Environment Variables<a href="#environment-variables" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<table>
<thead>
<tr>
<th>Variable</th>
<th>Required</th>
<th>Default</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>SIGNALK_OIDC_ENABLED</code></td>
<td>Yes</td>
<td><code>false</code></td>
<td>Enable OIDC authentication</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_ISSUER</code></td>
<td>Yes</td>
<td>-</td>
<td>OIDC provider URL (e.g., <code>https://auth.example.com</code>)</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_CLIENT_ID</code></td>
<td>Yes</td>
<td>-</td>
<td>Client ID registered with the provider</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_CLIENT_SECRET</code></td>
<td>Yes</td>
<td>-</td>
<td>Client secret from the provider</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_SCOPE</code></td>
<td>No</td>
<td><code>openid email profile</code></td>
<td>OAuth scopes to request (add <code>groups</code> for permission mapping)</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_DEFAULT_PERMISSION</code></td>
<td>No</td>
<td><code>readonly</code></td>
<td>Default permission for new users</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_AUTO_CREATE_USERS</code></td>
<td>No</td>
<td><code>true</code></td>
<td>Auto-create users on first login</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_ADMIN_GROUPS</code></td>
<td>No</td>
<td>-</td>
<td>Comma-separated groups that grant admin</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_READWRITE_GROUPS</code></td>
<td>No</td>
<td>-</td>
<td>Comma-separated groups that grant readwrite</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_GROUPS_ATTRIBUTE</code></td>
<td>No</td>
<td><code>groups</code></td>
<td>ID token claim containing groups</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_PROVIDER_NAME</code></td>
<td>No</td>
<td><code>SSO Login</code></td>
<td>Button text on login page</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_AUTO_LOGIN</code></td>
<td>No</td>
<td><code>false</code></td>
<td>Auto-redirect to OIDC provider</td>
</tr>
<tr>
<td><code>SIGNALK_OIDC_REDIRECT_URI</code></td>
<td><strong>Yes</strong></td>
<td>-</td>
<td>Full callback URL (e.g., <code>https://myserver.com/signalk/v1/auth/oidc/callback</code>)</td>
</tr>
</tbody>
</table>
<h3 id="securityjson-configuration" class="tsd-anchor-link">security.json Configuration<a href="#securityjson-configuration" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>OIDC can also be configured in <code>security.json</code>:</p>
<pre><code class="json"><span class="hl-0">{</span><br/><span class="hl-0"> </span><span class="hl-3">"oidc"</span><span class="hl-0">: {</span><br/><span class="hl-0"> </span><span class="hl-3">"enabled"</span><span class="hl-0">: </span><span class="hl-2">true</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"issuer"</span><span class="hl-0">: </span><span class="hl-4">"https://auth.example.com"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"clientId"</span><span class="hl-0">: </span><span class="hl-4">"signalk-server"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"clientSecret"</span><span class="hl-0">: </span><span class="hl-4">"your-client-secret"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"redirectUri"</span><span class="hl-0">: </span><span class="hl-4">"https://your-server.com/signalk/v1/auth/oidc/callback"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"scope"</span><span class="hl-0">: </span><span class="hl-4">"openid email profile groups"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"defaultPermission"</span><span class="hl-0">: </span><span class="hl-4">"readonly"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"autoCreateUsers"</span><span class="hl-0">: </span><span class="hl-2">true</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"adminGroups"</span><span class="hl-0">: [</span><span class="hl-4">"admins"</span><span class="hl-0">, </span><span class="hl-4">"sk-admin"</span><span class="hl-0">],</span><br/><span class="hl-0"> </span><span class="hl-3">"readwriteGroups"</span><span class="hl-0">: [</span><span class="hl-4">"users"</span><span class="hl-0">],</span><br/><span class="hl-0"> </span><span class="hl-3">"groupsAttribute"</span><span class="hl-0">: </span><span class="hl-4">"groups"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"providerName"</span><span class="hl-0">: </span><span class="hl-4">"Corporate SSO"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"autoLogin"</span><span class="hl-0">: </span><span class="hl-2">false</span><br/><span class="hl-0"> }</span><br/><span class="hl-0">}</span>
</code><button type="button">Copy</button></pre>
<p><strong>Note</strong>: Environment variables take precedence over <code>security.json</code> settings.</p>
<h2 id="permission-mapping" class="tsd-anchor-link">Permission Mapping<a href="#permission-mapping" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<p>Signal K maps OIDC groups to permission levels in this priority order:</p>
<ol>
<li><strong>Admin</strong>: User belongs to any group in <code>adminGroups</code></li>
<li><strong>Read/Write</strong>: User belongs to any group in <code>readwriteGroups</code></li>
<li><strong>Default</strong>: User gets <code>defaultPermission</code> (default: <code>readonly</code>)</li>
</ol>
<h3 id="example-configuration" class="tsd-anchor-link">Example Configuration<a href="#example-configuration" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<pre><code class="bash"><span class="hl-6"># Users in "admins" or "signalk-admins" get admin access</span><br/><span class="hl-0">SIGNALK_OIDC_ADMIN_GROUPS</span><span class="hl-1">=</span><span class="hl-4">admins,signalk-admins</span><br/><br/><span class="hl-6"># Users in "crew" or "operators" get read/write access</span><br/><span class="hl-0">SIGNALK_OIDC_READWRITE_GROUPS</span><span class="hl-1">=</span><span class="hl-4">crew,operators</span><br/><br/><span class="hl-6"># Everyone else gets read-only access</span><br/><span class="hl-0">SIGNALK_OIDC_DEFAULT_PERMISSION</span><span class="hl-1">=</span><span class="hl-4">readonly</span>
</code><button type="button">Copy</button></pre>
<h3 id="groups-claim" class="tsd-anchor-link">Groups Claim<a href="#groups-claim" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>By default, Signal K looks for groups in the <code>groups</code> claim of the ID token. Some providers use different claim names:</p>
<table>
<thead>
<tr>
<th>Provider</th>
<th>Groups Claim</th>
</tr>
</thead>
<tbody>
<tr>
<td>Keycloak</td>
<td><code>groups</code> (requires mapper)</td>
</tr>
<tr>
<td>Authentik</td>
<td><code>groups</code></td>
</tr>
<tr>
<td>Auth0</td>
<td>Custom (requires rule)</td>
</tr>
<tr>
<td>Okta</td>
<td><code>groups</code></td>
</tr>
<tr>
<td>Azure AD</td>
<td><code>groups</code></td>
</tr>
<tr>
<td>AWS Cognito</td>
<td><code>cognito:groups</code></td>
</tr>
</tbody>
</table>
<p>Configure the claim name:</p>
<pre><code class="bash"><span class="hl-0">SIGNALK_OIDC_GROUPS_ATTRIBUTE</span><span class="hl-1">=</span><span class="hl-4">cognito:groups</span>
</code><button type="button">Copy</button></pre>
<h2 id="provider-setup-guides" class="tsd-anchor-link">Provider Setup Guides<a href="#provider-setup-guides" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<h3 id="keycloak" class="tsd-anchor-link">Keycloak<a href="#keycloak" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<ol>
<li>
<p>Create a new client in your realm:</p>
<ul>
<li><strong>Client ID</strong>: <code>signalk-server</code></li>
<li><strong>Client Protocol</strong>: <code>openid-connect</code></li>
<li><strong>Access Type</strong>: <code>confidential</code></li>
<li><strong>Valid Redirect URIs</strong>: <code>https://your-server:3000/signalk/v1/auth/oidc/callback</code></li>
</ul>
</li>
<li>
<p>Add a groups mapper:</p>
<ul>
<li>Go to <strong>Clients > signalk-server > Mappers</strong></li>
<li>Click <strong>Create</strong></li>
<li><strong>Name</strong>: <code>groups</code></li>
<li><strong>Mapper Type</strong>: <code>Group Membership</code></li>
<li><strong>Token Claim Name</strong>: <code>groups</code></li>
<li><strong>Add to ID token</strong>: <code>ON</code></li>
</ul>
</li>
<li>
<p>Configure Signal K:</p>
<pre><code class="bash"><span class="hl-0">SIGNALK_OIDC_ENABLED</span><span class="hl-1">=</span><span class="hl-4">true</span><br/><span class="hl-0">SIGNALK_OIDC_ISSUER</span><span class="hl-1">=</span><span class="hl-4">https://keycloak.example.com/realms/your-realm</span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_ID</span><span class="hl-1">=</span><span class="hl-4">signalk-server</span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_SECRET</span><span class="hl-1">=<</span><span class="hl-4">from</span><span class="hl-0"> </span><span class="hl-5">Keycloak</span><span class="hl-0">></span><br/><span class="hl-0">SIGNALK_OIDC_ADMIN_GROUPS</span><span class="hl-1">=</span><span class="hl-4">admins</span>
</code><button type="button">Copy</button></pre>
</li>
</ol>
<h3 id="authentik" class="tsd-anchor-link">Authentik<a href="#authentik" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<ol>
<li>
<p>Create a new OAuth2/OIDC Provider:</p>
<ul>
<li><strong>Name</strong>: <code>Signal K Server</code></li>
<li><strong>Client Type</strong>: <code>Confidential</code></li>
<li><strong>Redirect URIs</strong>: <code>https://your-server:3000/signalk/v1/auth/oidc/callback</code></li>
<li><strong>Scopes</strong>: <code>openid email profile groups</code></li>
</ul>
</li>
<li>
<p>Create an Application linked to the provider</p>
</li>
<li>
<p>Configure Signal K:</p>
<pre><code class="bash"><span class="hl-0">SIGNALK_OIDC_ENABLED</span><span class="hl-1">=</span><span class="hl-4">true</span><br/><span class="hl-0">SIGNALK_OIDC_ISSUER</span><span class="hl-1">=</span><span class="hl-4">https://authentik.example.com/application/o/signalk/</span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_ID</span><span class="hl-1">=<</span><span class="hl-4">from</span><span class="hl-0"> </span><span class="hl-5">Authentik</span><span class="hl-0">></span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_SECRET</span><span class="hl-1">=<</span><span class="hl-4">from</span><span class="hl-0"> </span><span class="hl-5">Authentik</span><span class="hl-0">></span><br/><span class="hl-0">SIGNALK_OIDC_SCOPE</span><span class="hl-1">=</span><span class="hl-4">openid</span><span class="hl-0"> </span><span class="hl-5">email</span><span class="hl-0"> </span><span class="hl-4">profile</span><span class="hl-0"> </span><span class="hl-4">groups</span><br/><span class="hl-0">SIGNALK_OIDC_ADMIN_GROUPS</span><span class="hl-1">=</span><span class="hl-4">authentik</span><span class="hl-0"> </span><span class="hl-5">Admins</span>
</code><button type="button">Copy</button></pre>
</li>
</ol>
<h3 id="authelia" class="tsd-anchor-link">Authelia<a href="#authelia" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p><a href="https://www.authelia.com/">Authelia</a> is a popular open-source authentication server.</p>
<ol>
<li>
<p>Add a client configuration to your Authelia <code>configuration.yml</code>:</p>
<pre><code class="yaml"><span class="hl-3">identity_providers</span><span class="hl-0">:</span><br/><span class="hl-0"> </span><span class="hl-3">oidc</span><span class="hl-0">:</span><br/><span class="hl-0"> </span><span class="hl-3">clients</span><span class="hl-0">:</span><br/><span class="hl-0"> - </span><span class="hl-3">client_id</span><span class="hl-0">: </span><span class="hl-4">signalk</span><br/><span class="hl-0"> </span><span class="hl-3">client_name</span><span class="hl-0">: </span><span class="hl-4">Signal K Server</span><br/><span class="hl-0"> </span><span class="hl-3">client_secret</span><span class="hl-0">: </span><span class="hl-4">'$pbkdf2-sha512$310000$...'</span><span class="hl-0"> </span><span class="hl-6"># Use authelia hash-password</span><br/><span class="hl-0"> </span><span class="hl-3">public</span><span class="hl-0">: </span><span class="hl-2">false</span><br/><span class="hl-0"> </span><span class="hl-3">authorization_policy</span><span class="hl-0">: </span><span class="hl-4">two_factor</span><span class="hl-0"> </span><span class="hl-6"># or 'one_factor'</span><br/><span class="hl-0"> </span><span class="hl-3">redirect_uris</span><span class="hl-0">:</span><br/><span class="hl-0"> - </span><span class="hl-4">https://your-signalk-server:3000/signalk/v1/auth/oidc/callback</span><br/><span class="hl-0"> </span><span class="hl-3">scopes</span><span class="hl-0">:</span><br/><span class="hl-0"> - </span><span class="hl-4">openid</span><br/><span class="hl-0"> - </span><span class="hl-4">email</span><br/><span class="hl-0"> - </span><span class="hl-4">profile</span><br/><span class="hl-0"> - </span><span class="hl-4">groups</span><br/><span class="hl-0"> </span><span class="hl-3">userinfo_signed_response_alg</span><span class="hl-0">: </span><span class="hl-4">none</span><br/><span class="hl-0"> </span><span class="hl-3">token_endpoint_auth_method</span><span class="hl-0">: </span><span class="hl-4">client_secret_post</span>
</code><button type="button">Copy</button></pre>
</li>
<li>
<p>Generate the client secret hash:</p>
<pre><code class="bash"><span class="hl-5">authelia</span><span class="hl-0"> </span><span class="hl-4">crypto</span><span class="hl-0"> </span><span class="hl-4">hash</span><span class="hl-0"> </span><span class="hl-4">generate</span><span class="hl-0"> </span><span class="hl-4">pbkdf2</span><span class="hl-0"> </span><span class="hl-2">--variant</span><span class="hl-0"> </span><span class="hl-4">sha512</span>
</code><button type="button">Copy</button></pre>
</li>
<li>
<p>Configure Signal K:</p>
<pre><code class="bash"><span class="hl-0">SIGNALK_OIDC_ENABLED</span><span class="hl-1">=</span><span class="hl-4">true</span><br/><span class="hl-0">SIGNALK_OIDC_ISSUER</span><span class="hl-1">=</span><span class="hl-4">https://auth.your-domain.com</span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_ID</span><span class="hl-1">=</span><span class="hl-4">signalk</span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_SECRET</span><span class="hl-1">=</span><span class="hl-4">your-unhashed-secret</span><br/><span class="hl-0">SIGNALK_OIDC_SCOPE</span><span class="hl-1">=</span><span class="hl-4">openid</span><span class="hl-0"> </span><span class="hl-5">email</span><span class="hl-0"> </span><span class="hl-4">profile</span><span class="hl-0"> </span><span class="hl-4">groups</span><br/><span class="hl-0">SIGNALK_OIDC_DEFAULT_PERMISSION</span><span class="hl-1">=</span><span class="hl-4">readonly</span>
</code><button type="button">Copy</button></pre>
</li>
<li>
<p>For RP-initiated logout, add to Authelia's config:</p>
<pre><code class="yaml"><span class="hl-3">identity_providers</span><span class="hl-0">:</span><br/><span class="hl-0"> </span><span class="hl-3">oidc</span><span class="hl-0">:</span><br/><span class="hl-0"> </span><span class="hl-3">cors</span><span class="hl-0">:</span><br/><span class="hl-0"> </span><span class="hl-3">allowed_origins_from_client_redirect_uris</span><span class="hl-0">: </span><span class="hl-2">true</span>
</code><button type="button">Copy</button></pre>
</li>
</ol>
<h3 id="auth0" class="tsd-anchor-link">Auth0<a href="#auth0" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<ol>
<li>
<p>Create a new Regular Web Application:</p>
<ul>
<li><strong>Allowed Callback URLs</strong>: <code>https://your-server:3000/signalk/v1/auth/oidc/callback</code></li>
</ul>
</li>
<li>
<p>Add a custom rule to include groups (Actions > Flows > Login):</p>
<pre><code class="javascript"><span class="hl-2">exports</span><span class="hl-0">.</span><span class="hl-7">onExecutePostLogin</span><span class="hl-0"> </span><span class="hl-1">=</span><span class="hl-0"> </span><span class="hl-1">async</span><span class="hl-0"> (</span><span class="hl-5">event</span><span class="hl-0">, </span><span class="hl-5">api</span><span class="hl-0">) </span><span class="hl-1">=></span><span class="hl-0"> {</span><br/><span class="hl-0"> </span><span class="hl-1">const</span><span class="hl-0"> </span><span class="hl-2">namespace</span><span class="hl-0"> </span><span class="hl-1">=</span><span class="hl-0"> </span><span class="hl-4">'https://signalk.org'</span><br/><span class="hl-0"> </span><span class="hl-1">if</span><span class="hl-0"> (event.authorization) {</span><br/><span class="hl-0"> api.idToken.</span><span class="hl-7">setCustomClaim</span><span class="hl-0">(</span><br/><span class="hl-0"> </span><span class="hl-4">`${</span><span class="hl-0">namespace</span><span class="hl-4">}/groups`</span><span class="hl-0">,</span><br/><span class="hl-0"> event.authorization.roles</span><br/><span class="hl-0"> )</span><br/><span class="hl-0"> }</span><br/><span class="hl-0">}</span>
</code><button type="button">Copy</button></pre>
</li>
<li>
<p>Configure Signal K:</p>
<pre><code class="bash"><span class="hl-0">SIGNALK_OIDC_ENABLED</span><span class="hl-1">=</span><span class="hl-4">true</span><br/><span class="hl-0">SIGNALK_OIDC_ISSUER</span><span class="hl-1">=</span><span class="hl-4">https://your-tenant.auth0.com/</span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_ID</span><span class="hl-1">=<</span><span class="hl-4">from</span><span class="hl-0"> </span><span class="hl-5">Auth0</span><span class="hl-0">></span><br/><span class="hl-0">SIGNALK_OIDC_CLIENT_SECRET</span><span class="hl-1">=<</span><span class="hl-4">from</span><span class="hl-0"> </span><span class="hl-5">Auth0</span><span class="hl-0">></span><br/><span class="hl-0">SIGNALK_OIDC_GROUPS_ATTRIBUTE</span><span class="hl-1">=</span><span class="hl-4">https://signalk.org/groups</span>
</code><button type="button">Copy</button></pre>
</li>
</ol>
<h3 id="generic-oidc-provider" class="tsd-anchor-link">Generic OIDC Provider<a href="#generic-oidc-provider" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>Any OIDC-compliant provider should work. Ensure:</p>
<ol>
<li>The provider supports the Authorization Code flow with PKCE</li>
<li>You can obtain the <strong>Issuer URL</strong> (used for OIDC Discovery)</li>
<li>Groups are included in the ID token (or userinfo endpoint)</li>
</ol>
<p>The Issuer URL should have a discovery document at:
<code>{issuer}/.well-known/openid-configuration</code></p>
<h2 id="auto-login-mode" class="tsd-anchor-link">Auto-Login Mode<a href="#auto-login-mode" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<p>When <code>SIGNALK_OIDC_AUTO_LOGIN=true</code>, Signal K automatically redirects unauthenticated users to the OIDC provider instead of showing the login page.</p>
<p>This is useful when:</p>
<ul>
<li>OIDC is the only authentication method</li>
<li>Signal K is behind a reverse proxy that handles authentication</li>
<li>You want a seamless SSO experience</li>
</ul>
<p><strong>Note</strong>: Local login remains available at <code>/admin/#/login?noAutoLogin=true</code></p>
<h2 id="security-considerations" class="tsd-anchor-link">Security Considerations<a href="#security-considerations" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<h3 id="pkce-proof-key-for-code-exchange" class="tsd-anchor-link">PKCE (Proof Key for Code Exchange)<a href="#pkce-proof-key-for-code-exchange" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>Signal K uses PKCE for all OIDC flows, providing protection against authorization code interception attacks. This is automatic and requires no configuration.</p>
<h3 id="state-parameter" class="tsd-anchor-link">State Parameter<a href="#state-parameter" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>A cryptographically random state parameter prevents CSRF attacks during the OAuth flow. The state is stored in an encrypted, HTTP-only cookie.</p>
<h3 id="token-validation" class="tsd-anchor-link">Token Validation<a href="#token-validation" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>ID tokens are validated by:</p>
<ul>
<li>Verifying the signature against the provider's JWKS</li>
<li>Checking the issuer matches the configured issuer</li>
<li>Verifying the audience contains the client ID</li>
<li>Validating the token is not expired</li>
<li>Verifying the nonce matches (prevents replay attacks)</li>
</ul>
<h3 id="https-requirement" class="tsd-anchor-link">HTTPS Requirement<a href="#https-requirement" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p>For production use, always run Signal K behind HTTPS. OIDC cookies are marked as <code>Secure</code> when accessed over HTTPS.</p>
<h2 id="troubleshooting" class="tsd-anchor-link">Troubleshooting<a href="#troubleshooting" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<h3 id="oidc-discovery-failed" class="tsd-anchor-link">"OIDC discovery failed"<a href="#oidc-discovery-failed" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p><strong>Cause</strong>: Signal K cannot reach the OIDC provider's discovery endpoint.</p>
<p><strong>Solutions</strong>:</p>
<ul>
<li>Verify the issuer URL is correct</li>
<li>Check network connectivity to the provider</li>
<li>Ensure the discovery endpoint is accessible: <code>curl {issuer}/.well-known/openid-configuration</code></li>
</ul>
<h3 id="invalid-redirect-uri" class="tsd-anchor-link">"Invalid redirect URI"<a href="#invalid-redirect-uri" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p><strong>Cause</strong>: The callback URL doesn't match what's registered with the provider.</p>
<p><strong>Solutions</strong>:</p>
<ul>
<li>Check the redirect URI registered with your provider</li>
<li>Ensure it exactly matches: <code>https://your-server:3000/signalk/v1/auth/oidc/callback</code></li>
<li>For development, you may need to add <code>http://localhost:3000/...</code> as well</li>
</ul>
<h3 id="user-has-readonly-permissions-expected-admin" class="tsd-anchor-link">"User has readonly permissions" (expected admin)<a href="#user-has-readonly-permissions-expected-admin" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p><strong>Cause</strong>: Groups aren't being mapped correctly.</p>
<p><strong>Solutions</strong>:</p>
<ol>
<li>Check the ID token contains groups:
<ul>
<li>Use browser developer tools to inspect the token</li>
<li>Or decode the JWT at <a href="https://jwt.io">jwt.io</a></li>
</ul>
</li>
<li>Verify <code>groupsAttribute</code> matches your provider's claim name</li>
<li>Ensure the user is in a group listed in <code>adminGroups</code></li>
<li>Some providers require explicit configuration to include groups in tokens</li>
</ol>
<h3 id="state-mismatch-or-invalid-state" class="tsd-anchor-link">"State mismatch" or "Invalid state"<a href="#state-mismatch-or-invalid-state" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p><strong>Cause</strong>: The OIDC flow state was lost or expired.</p>
<p><strong>Solutions</strong>:</p>
<ul>
<li>Ensure cookies are enabled in the browser</li>
<li>Check if a reverse proxy is stripping cookies</li>
<li>The state cookie expires after 10 minutes; restart the login flow</li>
</ul>
<h3 id="login-redirects-but-user-not-authenticated" class="tsd-anchor-link">Login redirects but user not authenticated<a href="#login-redirects-but-user-not-authenticated" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<p><strong>Cause</strong>: The callback is failing silently.</p>
<p><strong>Solutions</strong>:</p>
<ul>
<li>Check Signal K server logs for OIDC errors</li>
<li>Verify the client secret is correct</li>
<li>Ensure the token endpoint is accessible from Signal K</li>
</ul>
<h2 id="api-reference" class="tsd-anchor-link">API Reference<a href="#api-reference" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h2>
<h3 id="login-endpoint" class="tsd-anchor-link">Login Endpoint<a href="#login-endpoint" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<pre><code><span class="hl-2">GET</span><span class="hl-0"> </span><span class="hl-1">/</span><span class="hl-0">signalk</span><span class="hl-1">/</span><span class="hl-0">v1</span><span class="hl-1">/</span><span class="hl-0">auth</span><span class="hl-1">/</span><span class="hl-0">oidc</span><span class="hl-1">/</span><span class="hl-0">login</span>
</code><button>Copy</button></pre>
<p>Initiates the OIDC login flow. Redirects to the identity provider.</p>
<p>Query parameters:</p>
<ul>
<li><code>returnTo</code> (optional): URL to redirect after successful login</li>
</ul>
<h3 id="callback-endpoint" class="tsd-anchor-link">Callback Endpoint<a href="#callback-endpoint" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<pre><code><span class="hl-2">GET</span><span class="hl-0"> </span><span class="hl-1">/</span><span class="hl-0">signalk</span><span class="hl-1">/</span><span class="hl-0">v1</span><span class="hl-1">/</span><span class="hl-0">auth</span><span class="hl-1">/</span><span class="hl-0">oidc</span><span class="hl-1">/</span><span class="hl-0">callback</span>
</code><button>Copy</button></pre>
<p>Handles the OIDC callback from the identity provider. Not called directly by users.</p>
<h3 id="login-status" class="tsd-anchor-link">Login Status<a href="#login-status" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<pre><code><span class="hl-2">GET</span><span class="hl-0"> </span><span class="hl-1">/</span><span class="hl-0">skServer</span><span class="hl-1">/</span><span class="hl-0">loginStatus</span>
</code><button>Copy</button></pre>
<p>Returns the current authentication status including OIDC configuration:</p>
<pre><code class="json"><span class="hl-0">{</span><br/><span class="hl-0"> </span><span class="hl-3">"status"</span><span class="hl-0">: </span><span class="hl-4">"loggedIn"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"username"</span><span class="hl-0">: </span><span class="hl-4">"oidc-user@example.com"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"userLevel"</span><span class="hl-0">: </span><span class="hl-4">"admin"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"oidcEnabled"</span><span class="hl-0">: </span><span class="hl-2">true</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"oidcAutoLogin"</span><span class="hl-0">: </span><span class="hl-2">false</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"oidcLoginUrl"</span><span class="hl-0">: </span><span class="hl-4">"/signalk/v1/auth/oidc/login"</span><span class="hl-0">,</span><br/><span class="hl-0"> </span><span class="hl-3">"oidcProviderName"</span><span class="hl-0">: </span><span class="hl-4">"Corporate SSO"</span><br/><span class="hl-0">}</span>
</code><button type="button">Copy</button></pre>
<h3 id="admin-configuration-api" class="tsd-anchor-link">Admin Configuration API<a href="#admin-configuration-api" aria-label="Permalink" class="tsd-anchor-icon"><svg viewBox="0 0 24 24" aria-hidden="true"><use href="../assets/icons.svg#icon-anchor"></use></svg></a></h3>
<pre><code><span class="hl-2">GET</span><span class="hl-0"> </span><span class="hl-1">/</span><span class="hl-0">skServer</span><span class="hl-1">/</span><span class="hl-0">security</span><span class="hl-1">/</span><span class="hl-0">oidc</span><br/><span class="hl-2">PUT</span><span class="hl-0"> </span><span class="hl-1">/</span><span class="hl-0">skServer</span><span class="hl-1">/</span><span class="hl-0">security</span><span class="hl-1">/</span><span class="hl-0">oidc</span><br/><span class="hl-2">POST</span><span class="hl-0"> </span><span class="hl-1">/</span><span class="hl-0">skServer</span><span class="hl-1">/</span><span class="hl-0">security</span><span class="hl-1">/</span><span class="hl-0">oidc</span><span class="hl-1">/</span><span class="hl-0">test</span>
</code><button>Copy</button></pre>
<p>Admin-only endpoints for managing OIDC configuration. See the OpenAPI documentation for details.</p>
</div></div><div class="col-sidebar"><div class="page-menu"><details open class="tsd-accordion tsd-page-navigation"><summary class="tsd-accordion-summary"><svg width="20" height="20" viewBox="0 0 24 24" fill="none" aria-hidden="true"><use href="../assets/icons.svg#icon-chevronDown"></use></svg><h3>On This Page</h3></summary><div class="tsd-accordion-details"><a href="#overview"><span>Overview</span></a><a href="#quick-start"><span>Quick <wbr/>Start</span></a><ul><li><a href="#1-register-signal-k-as-an-oidc-client"><span>1. <wbr/>Register <wbr/>Signal <wbr/>K as an <wbr/>OIDC <wbr/>Client</span></a></li><li><a href="#2-configure-signal-k"><span>2. <wbr/>Configure <wbr/>Signal <wbr/>K</span></a></li><li><a href="#3-test-the-configuration"><span>3. <wbr/>Test the <wbr/>Configuration</span></a></li></ul><a href="#configuration-reference"><span>Configuration <wbr/>Reference</span></a><ul><li><a href="#environment-variables"><span>Environment <wbr/>Variables</span></a></li><li><a href="#securityjson-configuration"><span>security.json <wbr/>Configuration</span></a></li></ul><a href="#permission-mapping"><span>Permission <wbr/>Mapping</span></a><ul><li><a href="#example-configuration"><span>Example <wbr/>Configuration</span></a></li><li><a href="#groups-claim"><span>Groups <wbr/>Claim</span></a></li></ul><a href="#provider-setup-guides"><span>Provider <wbr/>Setup <wbr/>Guides</span></a><ul><li><a href="#keycloak"><span>Keycloak</span></a></li><li><a href="#authentik"><span>Authentik</span></a></li><li><a href="#authelia"><span>Authelia</span></a></li><li><a href="#auth0"><span>Auth0</span></a></li><li><a href="#generic-oidc-provider"><span>Generic <wbr/>OIDC <wbr/>Provider</span></a></li></ul><a href="#auto-login-mode"><span>Auto-<wbr/>Login <wbr/>Mode</span></a><a href="#security-considerations"><span>Security <wbr/>Considerations</span></a><ul><li><a href="#pkce-proof-key-for-code-exchange"><span>PKCE (<wbr/>Proof <wbr/>Key for <wbr/>Code <wbr/>Exchange)</span></a></li><li><a href="#state-parameter"><span>State <wbr/>Parameter</span></a></li><li><a href="#token-validation"><span>Token <wbr/>Validation</span></a></li><li><a href="#https-requirement"><span>HTTPS <wbr/>Requirement</span></a></li></ul><a href="#troubleshooting"><span>Troubleshooting</span></a><ul><li><a href="#oidc-discovery-failed"><span>"<wbr/>OIDC discovery failed"</span></a></li><li><a href="#invalid-redirect-uri"><span>"<wbr/>Invalid redirect <wbr/>URI"</span></a></li><li><a href="#user-has-readonly-permissions-expected-admin"><span>"<wbr/>User has readonly permissions" (expected admin)</span></a></li><li><a href="#state-mismatch-or-invalid-state"><span>"<wbr/>State mismatch" or "<wbr/>Invalid state"</span></a></li><li><a href="#login-redirects-but-user-not-authenticated"><span>Login redirects but user not authenticated</span></a></li></ul><a href="#api-reference"><span>API <wbr/>Reference</span></a><ul><li><a href="#login-endpoint"><span>Login <wbr/>Endpoint</span></a></li><li><a href="#callback-endpoint"><span>Callback <wbr/>Endpoint</span></a></li><li><a href="#login-status"><span>Login <wbr/>Status</span></a></li><li><a href="#admin-configuration-api"><span>Admin <wbr/>Configuration <wbr/>API</span></a></li></ul></div></details></div><div class="site-menu"><nav class="tsd-navigation"><a href="../modules.html">Signal K</a><ul class="tsd-small-nested-navigation" id="tsd-nav-container"><li>Loading...</li></ul></nav></div></div></div><footer><p class="tsd-generator">Generated using <a href="https://typedoc.org/" target="_blank">TypeDoc</a></p></footer><div class="overlay"></div></body></html>