Back to Ruflo

OpenID

ruflo/src/ruvocal/docs/source/configuration/open-id.md

3.32.41.4 KB
Original Source

OpenID

By default, users are attributed a unique ID based on their browser session. To authenticate users with OpenID Connect, configure the following:

ini
OPENID_CLIENT_ID=your_client_id
OPENID_CLIENT_SECRET=your_client_secret
OPENID_SCOPES="openid profile"

Use the provider URL for standard OpenID Connect discovery:

ini
OPENID_PROVIDER_URL=https://your-provider.com

Advanced: you can also provide a client metadata document via OPENID_CONFIG. This value must be a JSON/JSON5 object (for example, a CIMD document) and is parsed server‑side to populate OpenID settings.

Redirect URI: https://your-domain.com/login/callback

Access Control

Restrict access to specific users:

ini
# Allow only specific email addresses
ALLOWED_USER_EMAILS=["[email protected]", "[email protected]"]

# Allow all users from specific domains
ALLOWED_USER_DOMAINS=["example.com", "company.org"]

Hugging Face Login

For Hugging Face authentication, you can use automatic client registration:

ini
OPENID_CLIENT_ID=__CIMD__

This creates an OAuth app automatically when deployed. See the CIMD spec for details.

User Token Forwarding

When users log in via Hugging Face, you can forward their token for inference:

ini
USE_USER_TOKEN=true

Auto-Login

Force authentication on all routes:

ini
AUTOMATIC_LOGIN=true