OIDC Configuration Requirements

Initial Setup – Required for Basic OIDC Integration

Please provide:

• OIDC Client ID – Provided when creating the app in Okta.
• OIDC Client Secret – Provided in the app's configuration.
• OIDC Discovery URL – e.g., https://<your-okta-domain>/oauth2/default/.well-known/openid-configuration
• Scopes – At minimum, we will utilize: openid email profile
• Redirect URI Whitelisting – Add: <your-open-webui-url>/oauth/oidc/callback

The email and name claims must be included in the token.
email is used for identification, and name is required to properly display user identity within Integrated Chat Agent The picture claim is optional but improves the end-user experience.

Future Role & Group Management – Optional but Recommended

These fields are optional for initial setup but support scalable, role-based control in Open WebUI:

• OIDC Groups – List of Okta groups relevant for Open WebUI access.
• Group Permissions – Mapping of groups to roles (e.g., viewer, user, admin).
• Group Claim Name – Claim name in the token containing group info (e.g., groups, user.memberOf).
• Role Claim Name – Claim name in the token that contains roles (e.g., roles, user.roles).
• Allowed Roles – List of role values permitted to log in.
• Admin Roles – List of roles with admin privileges.

If enabling group/role management, users must log out and log back in to reflect updates.

Resources for Setup

• Okta OIDC Integration Guide
• OIDC Discovery URL Guide