OIDC Configuration

Configure Stategraph to authenticate users via any OpenID Connect (OIDC) compatible identity provider.

Supported Providers

Any OIDC-compliant provider works, including:

  • Okta
  • Auth0
  • Azure Active Directory (Entra ID)
  • Keycloak
  • OneLogin
  • PingIdentity
  • AWS Cognito
  • GitLab

Basic Configuration

Required Environment Variables

# Enable OIDC
STATEGRAPH_OAUTH_TYPE=oidc

# Your OIDC provider's issuer URL
STATEGRAPH_OAUTH_OIDC_ISSUER_URL=https://your-provider.com

# OAuth client credentials
STATEGRAPH_OAUTH_CLIENT_ID=your-client-id
STATEGRAPH_OAUTH_CLIENT_SECRET=your-client-secret

# Your Stategraph URL
STATEGRAPH_UI_BASE=https://stategraph.example.com

Optional Environment Variables

# Restrict to email domain
STATEGRAPH_OAUTH_EMAIL_DOMAIN=yourcompany.com

# Custom login button text
STATEGRAPH_OAUTH_DISPLAY_NAME="Sign in with SSO"

# Callback URL base (if different from UI base)
STATEGRAPH_OAUTH_REDIRECT_BASE=https://stategraph.example.com

Provider-Specific Setup

Okta

Create Application

  1. Go to Okta Admin Console
  2. Navigate to Applications > Create App Integration
  3. Select OIDC - OpenID Connect
  4. Select Web Application
  5. Configure:
  6. App integration name: Stategraph
  7. Grant type: Authorization Code
  8. Sign-in redirect URIs: https://stategraph.example.com/oauth2/oidc/callback
  9. Sign-out redirect URIs: https://stategraph.example.com
  10. Save and copy Client ID and Client Secret

Configuration

STATEGRAPH_OAUTH_TYPE=oidc
STATEGRAPH_OAUTH_OIDC_ISSUER_URL=https://your-org.okta.com
STATEGRAPH_OAUTH_CLIENT_ID=0oaxxxxxxxxxxxxxx
STATEGRAPH_OAUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Auth0

Create Application

  1. Go to Auth0 Dashboard
  2. Navigate to Applications > Create Application
  3. Select Regular Web Applications
  4. In Settings:
  5. Allowed Callback URLs: https://stategraph.example.com/oauth2/oidc/callback
  6. Allowed Logout URLs: https://stategraph.example.com
  7. Copy Domain, Client ID, and Client Secret

Configuration

STATEGRAPH_OAUTH_TYPE=oidc
STATEGRAPH_OAUTH_OIDC_ISSUER_URL=https://your-tenant.auth0.com
STATEGRAPH_OAUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
STATEGRAPH_OAUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Azure AD (Entra ID)

Register Application

  1. Go to Azure Portal > Azure Active Directory
  2. Navigate to App registrations > New registration
  3. Configure:
  4. Name: Stategraph
  5. Supported account types: Accounts in this organizational directory only
  6. Redirect URI: Web - https://stategraph.example.com/oauth2/oidc/callback
  7. After creation:
  8. Copy Application (client) ID
  9. Go to Certificates & secrets > New client secret
  10. Copy the secret value

Configuration

STATEGRAPH_OAUTH_TYPE=oidc
STATEGRAPH_OAUTH_OIDC_ISSUER_URL=https://login.microsoftonline.com/{tenant-id}/v2.0
STATEGRAPH_OAUTH_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
STATEGRAPH_OAUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Replace {tenant-id} with your Azure AD tenant ID.

Keycloak

Create Client

  1. Go to Keycloak Admin Console
  2. Select your realm
  3. Navigate to Clients > Create client
  4. Configure:
  5. Client ID: stategraph
  6. Client Protocol: openid-connect
  7. Root URL: https://stategraph.example.com
  8. After creation:
  9. Set Valid Redirect URIs: https://stategraph.example.com/oauth2/oidc/callback
  10. Enable Client authentication
  11. Copy the client secret from Credentials tab

Configuration

STATEGRAPH_OAUTH_TYPE=oidc
STATEGRAPH_OAUTH_OIDC_ISSUER_URL=https://keycloak.example.com/realms/your-realm
STATEGRAPH_OAUTH_CLIENT_ID=stategraph
STATEGRAPH_OAUTH_CLIENT_SECRET=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AWS Cognito

Create User Pool and App Client

  1. Go to AWS Cognito Console
  2. Create or select a User Pool
  3. Navigate to App clients > Create app client
  4. Configure:
  5. App client name: stategraph
  6. Enable Generate client secret
  7. Under App integration > Domain, set up a Cognito domain or custom domain
  8. Configure callback URL: https://stategraph.example.com/oauth2/oidc/callback

Configuration

STATEGRAPH_OAUTH_TYPE=oidc
STATEGRAPH_OAUTH_OIDC_ISSUER_URL=https://cognito-idp.{region}.amazonaws.com/{user-pool-id}
STATEGRAPH_OAUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxx
STATEGRAPH_OAUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

GitLab

Create Application

  1. Go to GitLab > User Settings > Applications (Or Admin Area > Applications for instance-wide)
  2. Configure:
  3. Name: Stategraph
  4. Redirect URI: https://stategraph.example.com/oauth2/oidc/callback
  5. Scopes: openid, email, profile
  6. Save and copy Application ID and Secret

Configuration

STATEGRAPH_OAUTH_TYPE=oidc
STATEGRAPH_OAUTH_OIDC_ISSUER_URL=https://gitlab.com
# Or your self-hosted GitLab URL
STATEGRAPH_OAUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
STATEGRAPH_OAUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Finding the Issuer URL

The issuer URL is the base URL of your OIDC provider. Most providers publish their configuration at:

{issuer_url}/.well-known/openid-configuration

For example: - Okta: https://your-org.okta.com/.well-known/openid-configuration - Auth0: https://your-tenant.auth0.com/.well-known/openid-configuration - Azure AD: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

This endpoint returns the OIDC discovery document with authorization endpoints.

Docker Compose Example

services:
  server:
    image: ghcr.io/stategraph/stategraph-server:<version>
    environment:
      DB_HOST: "db"
      DB_PORT: "5432"
      DB_USER: "stategraph"
      DB_PASS: "stategraph"
      DB_NAME: "stategraph"

      STATEGRAPH_UI_BASE: "https://stategraph.example.com"

      STATEGRAPH_OAUTH_TYPE: "oidc"
      STATEGRAPH_OAUTH_OIDC_ISSUER_URL: "https://your-provider.com"
      STATEGRAPH_OAUTH_CLIENT_ID: "your-client-id"
      STATEGRAPH_OAUTH_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
      STATEGRAPH_OAUTH_EMAIL_DOMAIN: "yourcompany.com"
      STATEGRAPH_OAUTH_DISPLAY_NAME: "Sign in with SSO"
    ports:
      - "8080:8080"

Troubleshooting

"Invalid issuer"

The issuer URL is incorrect or unreachable.

Solutions: - Verify the issuer URL is correct - Test with: curl {issuer_url}/.well-known/openid-configuration - Check network connectivity from Stategraph to the provider

"Invalid client"

The client ID or secret is incorrect.

Solutions: - Verify credentials from your provider's dashboard - Check for whitespace or newlines in values - Ensure the client hasn't been deleted or disabled

"Redirect URI mismatch"

The callback URL doesn't match what's configured in the provider.

Solutions: - The exact URL must match: https://stategraph.example.com/oauth2/oidc/callback - Check protocol (http vs https) - Check hostname and port - No trailing slash

"Access denied" after authentication

User was authenticated but denied access.

Solutions: - Check STATEGRAPH_OAUTH_EMAIL_DOMAIN setting - Verify user's email is in the allowed domain - Check provider's group/role assignments if applicable

Session not persisting

Cookies not being set correctly.

Solutions: - Verify STATEGRAPH_UI_BASE matches the access URL exactly - Use HTTPS in production - Check for proxy interference

Verifying Configuration

Test OIDC Discovery

curl https://your-provider.com/.well-known/openid-configuration | jq

Should return a JSON document with endpoints:

{
  "issuer": "https://your-provider.com",
  "authorization_endpoint": "https://your-provider.com/authorize",
  "token_endpoint": "https://your-provider.com/oauth/token",
  "userinfo_endpoint": "https://your-provider.com/userinfo",
  "jwks_uri": "https://your-provider.com/.well-known/jwks.json"
}

Check Stategraph Logs

docker compose logs server | grep -i oauth

Look for errors or successful authentication messages.

Security Best Practices

  1. Use HTTPS for both Stategraph and callback URLs
  2. Restrict email domains to your organization
  3. Use secrets management for client secrets
  4. Enable MFA at the identity provider level
  5. Regular audits of authorized users
  6. Rotate client secrets periodically

Next Steps