OIDC / SSO Authentication¶
Strix supports generic OpenID Connect (OIDC) for single sign-on. This works with any OIDC-compliant provider: Entra ID, Okta, Keycloak, Google Workspace, Auth0, etc. OIDC is disabled by default and coexists with local username/password authentication.
Enabling OIDC¶
Set these environment variables (in .env or docker-compose.yml):
STRIX_OIDC_ISSUER_URL=https://login.microsoftonline.com/{tenant-id}/v2.0
STRIX_OIDC_CLIENT_ID=your-client-id
STRIX_OIDC_CLIENT_SECRET=your-client-secret
Restart Strix. The login page will show a "Sign in with SSO" button.
Provider Setup¶
Register Strix as an application in your identity provider with these settings:
- Redirect URI:
https://your-domain.com/api/v1/auth/oidc/callback - Scopes:
openid,profile,email - Grant type: Authorization Code
User Provisioning¶
When a user signs in via OIDC for the first time, Strix automatically creates their account (JIT provisioning). The username is derived from their email prefix. OIDC-provisioned users cannot sign in with a password.
Environment Variables¶
| Variable | Default | Description |
|---|---|---|
STRIX_OIDC_ISSUER_URL |
(disabled) | OIDC issuer discovery URL |
STRIX_OIDC_CLIENT_ID |
(disabled) | OAuth2 client ID |
STRIX_OIDC_CLIENT_SECRET |
(empty) | OAuth2 client secret |
STRIX_OIDC_REDIRECT_URL |
auto-derived | Callback URL (derived from STRIX_BASE_URL or STRIX_DOMAIN) |
STRIX_OIDC_SCOPES |
openid,profile,email |
Comma-separated OIDC scopes |
STRIX_OIDC_DEFAULT_ROLE |
user |
Role assigned to auto-provisioned users (user or admin) |
STRIX_OIDC_ALLOWED_DOMAINS |
(all) | Comma-separated email domain allowlist (e.g. example.com,corp.co) |
STRIX_OIDC_BUTTON_TEXT |
Sign in with SSO |
Text displayed on the SSO button |
Domain Restriction¶
To limit OIDC access to specific email domains:
STRIX_OIDC_ALLOWED_DOMAINS=example.com,subsidiary.example.com
Users with email addresses outside these domains will be rejected at login.
Provider Examples¶
Entra ID (Azure AD)
STRIX_OIDC_ISSUER_URL=https://login.microsoftonline.com/{tenant-id}/v2.0
STRIX_OIDC_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
STRIX_OIDC_CLIENT_SECRET=your-secret
Google Workspace
STRIX_OIDC_ISSUER_URL=https://accounts.google.com
STRIX_OIDC_CLIENT_ID=xxxx.apps.googleusercontent.com
STRIX_OIDC_CLIENT_SECRET=your-secret
STRIX_OIDC_ALLOWED_DOMAINS=yourcompany.com
Keycloak
STRIX_OIDC_ISSUER_URL=https://keycloak.example.com/realms/strix
STRIX_OIDC_CLIENT_ID=strix
STRIX_OIDC_CLIENT_SECRET=your-secret