OpenID Connect (OIDC)
Set QUI__OIDC_ENABLED=true to hand authentication off to an external identity provider. The built-in login screen automatically offers a "Sign in with OIDC" button when the backend detects a valid OIDC configuration.
Configuration Options
| Variable | Description |
|---|---|
QUI__OIDC_ISSUER | Issuer URL from your IdP (e.g. https://auth.example.com/realms/main) |
QUI__OIDC_CLIENT_ID | Client ID registered for qui |
QUI__OIDC_CLIENT_SECRET | Client secret generated by the provider |
QUI__OIDC_CLIENT_SECRET_FILE | Path to file containing client secret. Takes precedence over QUI__OIDC_CLIENT_SECRET |
QUI__OIDC_REDIRECT_URL | Must match the redirect URI allowed by the provider |
QUI__OIDC_DISABLE_BUILT_IN_LOGIN | Set to true to hide the local username/password form when OIDC is enabled |
Redirect URL Format
For a default install, use:
http://localhost:7476/api/auth/oidc/callback
When reverse proxying, include your base URL:
https://host/qui/api/auth/oidc/callback
Example Configuration
QUI__OIDC_ENABLED=true \
QUI__OIDC_ISSUER=https://auth.example.com/realms/main \
QUI__OIDC_CLIENT_ID=qui \
QUI__OIDC_CLIENT_SECRET=super-secret-value \
QUI__OIDC_REDIRECT_URL=https://qui.example.com/api/auth/oidc/callback \
QUI__OIDC_DISABLE_BUILT_IN_LOGIN=true
You can set the same options in config.toml using the oidc* keys generated by qui generate-config.