OIDC Configuration Requirements
Initial Setup – Required for Basic OIDC Integration
Please provide:
- OIDC Client ID – Provided when creating the app in Okta.
- OIDC Client Secret – Provided in the app's configuration.
- OIDC Discovery URL – e.g.,
https://<your-okta-domain>/oauth2/default/.well-known/openid-configuration
- Scopes – At minimum, we will utilize:
openid email profile
- Redirect URI Whitelisting – Add:
<your-open-webui-url>/oauth/oidc/callback
The
name
claims must be included in the token.
name
is required to properly display user identity within Integrated Chat Agent Thepicture
claim is optional but improves the end-user experience.
Future Role & Group Management – Optional but Recommended
These fields are optional for initial setup but support scalable, role-based control in Open WebUI:
- OIDC Groups – List of Okta groups relevant for Open WebUI access.
- Group Permissions – Mapping of groups to roles (e.g.,
viewer
,user
,admin
). - Group Claim Name – Claim name in the token containing group info (e.g.,
groups
,user.memberOf
). - Role Claim Name – Claim name in the token that contains roles (e.g.,
roles
,user.roles
). - Allowed Roles – List of role values permitted to log in.
- Admin Roles – List of roles with admin privileges.
If enabling group/role management, users must log out and log back in to reflect updates.
Resources for Setup
Updated about 2 months ago