Configuring Generic OIDC Authentication

Use Generic OIDC to integrate LobeHub with any OpenID Connect compliant identity provider not explicitly listed in our supported providers.

<Steps> ### Configure Your OIDC Provider

In your identity provider's admin console:

Add the callback URL to your OIDC provider:

<Callout type={'info'}> Callback URL format:

- Local development: `http://localhost:3210/api/auth/callback/generic-oidc`
- Production: `https://your-domain.com/api/auth/callback/generic-oidc`

</Callout>

The issuer URL is typically found in your provider's OIDC discovery document:

https://your-provider/.well-known/openid-configuration

Look for the issuer field in the JSON response.

Environment Variable	Type	Description
`AUTH_SECRET`	Required	Session encryption key, generate with `openssl rand -base64 32`
`AUTH_SSO_PROVIDERS`	Required	Set to `generic-oidc`
`AUTH_GENERIC_OIDC_ID`	Required	Client ID
`AUTH_GENERIC_OIDC_SECRET`	Required	Client Secret
`AUTH_GENERIC_OIDC_ISSUER`	Required	OIDC issuer URL (e.g., `https://your-provider.com`)

<Callout type={'tip'}> Go to 📘 Environment Variables for detailed information. </Callout> </Steps>

<Callout type={'info'}> After successful deployment, users will be able to authenticate with your OIDC provider and use LobeHub. </Callout>

Troubleshooting

Invalid redirect URI: Ensure the callback URL exactly matches what you configured in your provider
Missing scopes: Make sure openid, profile, and email scopes are enabled
Invalid issuer: The issuer URL must match exactly what's in the OIDC discovery document

Verify your OIDC configuration by accessing:

https://your-provider/.well-known/openid-configuration

This should return a JSON document with all required endpoints.