General Information
Reitti can be configured to use an OpenID Connect (OIDC) provider for user authentication. This allows you to integrate Reitti with existing identity management systems and leverage features like single sign-on (SSO) and multi-factor authentication (MFA) provided by your OIDC provider.
Configuration
Docker
To enable OIDC authentication when running Reitti with Docker, you need to set the following environment variables in your docker-compose.yml file under the reitti service.
| Environment Variable | Description | Default Value | Example Value |
|---|---|---|---|
OIDC_ENABLED |
Whether to enable OIDC sign-ins | false |
true |
OIDC_CLIENT_ID |
Your OpenID Connect Client ID (from your provider) | google |
|
OIDC_CLIENT_SECRET |
Your OpenID Connect Client secret (from your provider) | F0oxfg8b2rp5X97YPS92C2ERxof1oike |
|
OIDC_PROVIDER_URI |
Your OpenID Connect Provider Discovery URI (don’t include the /.well-known/openid-configuration part of the URI) |
https://github.com/login/oauth |
|
OIDC_SCOPE |
Your OpenID Connect scopes for your user (set to the values in the example if you’re unsure). This variable is optional. | openid,profile |
openid,profile |
Here’s an example of how you might add these to your docker-compose.yml:
services:
reitti:
image: dedicatedcode/reitti:latest
environment:
- OIDC_ENABLED=true
- OIDC_CLIENT_ID=your_client_id
- OIDC_CLIENT_SECRET=your_client_secret
- OIDC_PROVIDER_URI=https://your_oidc_provider.com
# ... other configurations
Running from source
When running Reitti directly from its source code, OIDC authentication can be enabled by placing an oidc.properties file in the same directory as your application.properties file. This oidc.properties file should contain the necessary OIDC configuration details.
reitti.security.oidc.enabled=true
spring.security.oauth2.client.registration.oauth.client-id=<client id from your provider>
spring.security.oauth2.client.registration.oauth.client-secret=<client secret from your provider>
spring.security.oauth2.client.provider.oauth.issuer-uri=<url of your provider>
spring.security.oauth2.client.registration.oauth.scope=openid,profile
Provider Examples
This section provides examples of how to configure Reitti with different OpenID Connect providers.
PocketId
PocketId is a self-hosted OpenID Connect provider. You can find more information about the project here.
To configure Reitti to use PocketId:
- Create a new client in PocketId:
- Log in to your PocketId instance.
- Navigate to the client registration section.
- Create a new client, providing a name for your Reitti installation (e.g., “Reitti App”).
- Crucially, set the URI to the URL of your Reitti installation.
- Obtain Client ID and Client Secret:
- After creating the client, PocketId will display a Client ID and a Client Secret. Copy these values.
3. Configure Reitti:
- For Docker: Set the OIDC_CLIENT_ID and OIDC_CLIENT_SECRET environment variables in your docker-compose.yml file to the values you copied from PocketId.
- For Running from Source: Enter the Client ID and Client Secret into the oidc.properties file for spring.security.oauth2.client.registration.oauth.client-id and spring.security.oauth2.client.registration.oauth.client-secret respectively.
- Set the Issuer URI:
- The OIDC_PROVIDER_URI (for Docker) or spring.security.oauth2.client.provider.oauth.issuer-uri (for oidc.properties) should be set to the base URL of your PocketId installation (e.g., https://your-pocketid-domain.com).