OxiCloud

Appearance

OIDC Config Examples

This page collects provider-specific OpenID Connect examples for OxiCloud. Use it together with the base reference in OIDC / SSO.

Base Environment Variables

bash
OXICLOUD_OIDC_ENABLED=true
OXICLOUD_OIDC_PROVIDER_NAME="Display Name"
OXICLOUD_OIDC_ISSUER_URL="https://provider.example.com/realms/your-realm"
OXICLOUD_OIDC_CLIENT_ID="your-client-id"
OXICLOUD_OIDC_CLIENT_SECRET="your-client-secret"
OXICLOUD_OIDC_REDIRECT_URI="https://your-oxicloud.example.com/api/auth/oidc/callback"
OXICLOUD_OIDC_SCOPES="openid profile email"
OXICLOUD_OIDC_FRONTEND_URL="https://your-oxicloud.example.com"
OXICLOUD_OIDC_AUTO_PROVISION="true"
OXICLOUD_OIDC_ADMIN_GROUPS="admin-group"
OXICLOUD_OIDC_DISABLE_PASSWORD_LOGIN="false"

Authentik

  1. Create an OAuth2 or OpenID Connect application for OxiCloud
  2. Register https://your-oxicloud.example.com/api/auth/oidc/callback as the callback URL
  3. Copy the generated client ID and client secret
yaml
services:
  oxicloud:
    image: diocrafts/oxicloud:latest
    environment:
      OXICLOUD_OIDC_ENABLED: "true"
      OXICLOUD_OIDC_PROVIDER_NAME: "Authentik"
      OXICLOUD_OIDC_ISSUER_URL: "https://authentik.example.com/application/o/oxicloud"
      OXICLOUD_OIDC_CLIENT_ID: "your-authentik-client-id"
      OXICLOUD_OIDC_CLIENT_SECRET: "your-authentik-client-secret"
      OXICLOUD_OIDC_REDIRECT_URI: "https://oxicloud.example.com/api/auth/oidc/callback"
      OXICLOUD_OIDC_SCOPES: "openid profile email"
      OXICLOUD_OIDC_FRONTEND_URL: "https://oxicloud.example.com"

Authelia

Configure an OIDC client in Authelia and allow OxiCloud's redirect URI.

yaml
identity_providers:
  oidc:
    clients:
      - id: oxicloud
        description: OxiCloud
        public: false
        redirect_uris:
          - https://oxicloud.example.com/api/auth/oidc/callback
        scopes: [openid, profile, email, groups]
yaml
services:
  oxicloud:
    image: diocrafts/oxicloud:latest
    environment:
      OXICLOUD_OIDC_PROVIDER_NAME: "Authelia"
      OXICLOUD_OIDC_ISSUER_URL: "https://authelia.example.com"
      OXICLOUD_OIDC_CLIENT_ID: "oxicloud"
      OXICLOUD_OIDC_CLIENT_SECRET: "your-client-secret"

Keycloak

  1. Create a confidential client named oxicloud
  2. Set the valid redirect URI to https://oxicloud.example.com/api/auth/oidc/callback
  3. Copy the generated client secret
yaml
services:
  oxicloud:
    image: diocrafts/oxicloud:latest
    environment:
      OXICLOUD_OIDC_PROVIDER_NAME: "Keycloak"
      OXICLOUD_OIDC_ISSUER_URL: "https://keycloak.example.com/realms/your-realm"
      OXICLOUD_OIDC_CLIENT_ID: "oxicloud"
      OXICLOUD_OIDC_CLIENT_SECRET: "your-keycloak-client-secret"
      OXICLOUD_OIDC_ADMIN_GROUPS: "oxicloud-admins"

Troubleshooting

Failed to discover the provider

  • Verify the issuer URL exactly matches the provider's discovery URL base
  • Check DNS, TLS, and network reachability from the OxiCloud container or host

Invalid redirect URI

  • Make the configured callback match exactly on scheme, host, port, and path
  • Check for http versus https mismatches

Auto-provisioning problems

  • Enable OXICLOUD_OIDC_AUTO_PROVISION=true if first-login account creation is expected
  • Make sure openid is included in the configured scopes

Released under the MIT License.

Copyright © 2025-present DioCrafts