> ## Documentation Index
> Fetch the complete documentation index at: https://docs.onyx.app/llms.txt
> Use this file to discover all available pages before exploring further.

# OIDC

> OpenID Connect authentication setup

Configure Onyx with OpenID Connect (OIDC) authentication.
Available with common identity providers such as Okta and Microsoft Entra ID (Azure AD).

This guide will walk you through the setup process for Okta. Other identity providers will have a similar process.
Please contact us if you need help with a different identity provider.

## Guide

<Steps>
  <Step title="Create Okta Application">
    Navigate to the Okta **Admin Console** → **Applications** → **Create App Integration**.

    <img className="rounded-image" src="https://mintcdn.com/danswer/bNCAyv_0mlX0VYMw/assets/deployment/oidc_create_integration.png?fit=max&auto=format&n=bNCAyv_0mlX0VYMw&q=85&s=7f3d2daa77956a1e8d40bbd6e46267f9" alt="Okta Create Integration Page" width="2544" height="822" data-path="assets/deployment/oidc_create_integration.png" />
  </Step>

  <Step title="Configure Okta Application">
    Select **OIDC** and **Web Application**.

    Name your application `Onyx`.

    <Tip>
      If you are white-labeling Onyx, you can freely name your application.
    </Tip>

    Add a **Sign-in redirect URI**

    ```
    https://YOUR_ONYX_DOMAIN.com/auth/oidc/callback
    ```

    Determine whether all users or select groups may access Onyx or skip this step and assign users later.

    <img className="rounded-image" src="https://mintcdn.com/danswer/bNCAyv_0mlX0VYMw/assets/deployment/oidc_config.png?fit=max&auto=format&n=bNCAyv_0mlX0VYMw&q=85&s=406048ae75e793fba6a2b8e3d0dd79f2" alt="Okta Configure OIDC Application Page" width="2148" height="1302" data-path="assets/deployment/oidc_config.png" />
  </Step>

  <Step title="Save OIDC Credentials">
    Create the new Application and save the **Client ID** and **Client Secret**.

    Also note your **Okta Base URL** in the format of `https://<YOUR_ORG_NAME>.okta.com`.

    <img className="rounded-image" src="https://mintcdn.com/danswer/bNCAyv_0mlX0VYMw/assets/deployment/oidc_secrets.png?fit=max&auto=format&n=bNCAyv_0mlX0VYMw&q=85&s=cc5261f58c02c46946c3105bc2f85398" alt="Okta OIDC Credentials Page" width="2316" height="1656" data-path="assets/deployment/oidc_secrets.png" />

    <Note>
      After saving your application,
      you can upload the Onyx logo or your white-labeled logo by clicking the gear icon next to the app title **Onyx**
    </Note>
  </Step>

  <Step title="Configure Onyx for OIDC">
    Configure Onyx with the following environment variables in your `.env` or `values.yaml` file (Docker and Kubernetes,
    respectively).

    ```bash .env theme={null}
    AUTH_TYPE=oidc
    OAUTH_CLIENT_ID=<CLIENT_ID_FROM_OKTA>
    OAUTH_CLIENT_SECRET=<CLIENT_SECRET_FROM_OKTA>
    OPENID_CONFIG_URL=https://<YOUR_OKTA_BASE_URL>/.well-known/openid-configuration
    ```

    <Note>
      If you're using Docker but don't have a `.env` file,
      copy `onyx/deployment/docker_compose/env.prod.template` to a new `.env` file in the same directory.
    </Note>

    ```bash values.yaml theme={null}
    auth:
       secrets:
          OAUTH_CLIENT_ID: <CLIENT_ID_FROM_OKTA>
          OAUTH_CLIENT_SECRET:<CLIENT_SECRET_FROM_OKTA>
    configMap:
       AUTH_TYPE: oidc
       OPENID_CONFIG_URL: https://<YOUR_OKTA_BASE_URL>/.well-known/openid-configuration
    ```
  </Step>
</Steps>

## Customizing requested scopes

By default, Onyx uses the standard OIDC base scopes when redirecting users to the identity provider.
You can override this list with `OIDC_SCOPE_OVERRIDE`, a comma-separated list of scopes to request instead.
This is primarily useful when the access token issued at login should be passed through to tool calls that need
additional scopes from the identity provider.

```bash .env theme={null}
OIDC_SCOPE_OVERRIDE=openid,email,profile,groups
```

Onyx will always also request `offline_access` so refresh tokens are issued, even if it is not in the override list.

<Warning>
  The override **replaces** the default scopes — make sure `openid`, `email`,
  and `profile` are still included if you want standard login to keep working.
</Warning>

<Note>
  Any scopes you add here must also be enabled on the application in your identity provider.
  Onyx only changes what is sent in the authorize request;
  the IdP still rejects scopes that are not configured for the client.
</Note>

## Enabling PKCE

PKCE is disabled by default to preserve backwards compatibility with existing OIDC deployments. To enable it, set:

```bash .env theme={null}
OIDC_PKCE_ENABLED=true
```