ruflo/src/ruvocal/docs/source/configuration/open-id.md
By default, users are attributed a unique ID based on their browser session. To authenticate users with OpenID Connect, configure the following:
OPENID_CLIENT_ID=your_client_id
OPENID_CLIENT_SECRET=your_client_secret
OPENID_SCOPES="openid profile"
Use the provider URL for standard OpenID Connect discovery:
OPENID_PROVIDER_URL=https://your-provider.com
Advanced: you can also provide a client metadata document via OPENID_CONFIG. This value must be a JSON/JSON5 object (for example, a CIMD document) and is parsed server‑side to populate OpenID settings.
Redirect URI: https://your-domain.com/login/callback
Restrict access to specific users:
# Allow only specific email addresses
ALLOWED_USER_EMAILS=["[email protected]", "[email protected]"]
# Allow all users from specific domains
ALLOWED_USER_DOMAINS=["example.com", "company.org"]
For Hugging Face authentication, you can use automatic client registration:
OPENID_CLIENT_ID=__CIMD__
This creates an OAuth app automatically when deployed. See the CIMD spec for details.
When users log in via Hugging Face, you can forward their token for inference:
USE_USER_TOKEN=true
Force authentication on all routes:
AUTOMATIC_LOGIN=true