Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.onyx.app/llms.txt

Use this file to discover all available pages before exploring further.

Configure Onyx with OpenID Connect (OIDC) authentication. Available with common identity providers such as Okta and Microsoft Entra ID (Azure AD). This guide will walk you through the setup process for Okta. Other identity providers will have a similar process. Please contact us if you need help with a different identity provider.

Guide

1

Create Okta Application

Navigate to the Okta Admin ConsoleApplicationsCreate App Integration.Okta Create Integration Page
2

Configure Okta Application

Select OIDC and Web Application.Name your application Onyx.
If you are white-labeling Onyx, you can freely name your application.
Add a Sign-in redirect URI
https://YOUR_ONYX_DOMAIN.com/auth/oidc/callback
Determine whether all users or select groups may access Onyx or skip this step and assign users later.Okta Configure OIDC Application Page
3

Save OIDC Credentials

Create the new Application and save the Client ID and Client Secret.Also note your Okta Base URL in the format of https://<YOUR_ORG_NAME>.okta.com.Okta OIDC Credentials Page
After saving your application, you can upload the Onyx logo or your white-labeled logo by clicking the gear icon next to the app title Onyx
4

Configure Onyx for OIDC

Configure Onyx with the following environment variables in your .env or values.yaml file (Docker and Kubernetes, respectively).
.env
AUTH_TYPE=oidc
OAUTH_CLIENT_ID=<CLIENT_ID_FROM_OKTA>
OAUTH_CLIENT_SECRET=<CLIENT_SECRET_FROM_OKTA>
OPENID_CONFIG_URL=https://<YOUR_OKTA_BASE_URL>/.well-known/openid-configuration
If you’re using Docker but don’t have a .env file, copy onyx/deployment/docker_compose/env.prod.template to a new .env file in the same directory.
values.yaml
auth:
   secrets:
      OAUTH_CLIENT_ID: <CLIENT_ID_FROM_OKTA>
      OAUTH_CLIENT_SECRET:<CLIENT_SECRET_FROM_OKTA>
configMap:
   AUTH_TYPE: oidc
   OPENID_CONFIG_URL: https://<YOUR_OKTA_BASE_URL>/.well-known/openid-configuration

Customizing requested scopes

By default, Onyx uses the standard OIDC base scopes when redirecting users to the identity provider. You can override this list with OIDC_SCOPE_OVERRIDE, a comma-separated list of scopes to request instead. This is primarily useful when the access token issued at login should be passed through to tool calls that need additional scopes from the identity provider.
.env
OIDC_SCOPE_OVERRIDE=openid,email,profile,groups
Onyx will always also request offline_access so refresh tokens are issued, even if it is not in the override list.
The override replaces the default scopes — make sure openid, email, and profile are still included if you want standard login to keep working.
Any scopes you add here must also be enabled on the application in your identity provider. Onyx only changes what is sent in the authorize request; the IdP still rejects scopes that are not configured for the client.

Enabling PKCE

PKCE is disabled by default to preserve backwards compatibility with existing OIDC deployments. To enable it, set:
.env
OIDC_PKCE_ENABLED=true