OIDC Configuration
Configuration guide for OpenID Connect in Portabase.
OpenID Connect (OIDC) integration allows connecting Portabase to any compatible identity provider, such as Keycloak, Auth0, Authentik, or Okta.
Implementation
To configure an OIDC provider, you must define a set of environment variables starting with AUTH_OIDC_.
Create the Client
On your identity server (e.g., Keycloak), create a new client of type "OIDC" or "OpenID Connect".
Configure URLs
Define the redirect URL (Redirect URI):
https://<your-domain>/api/auth/sso/callback/<providerId>
Enter Variables
Add the credentials obtained into your Portabase configuration.
Provider Settings
Prop
Type
Multiple Providers
Portabase supports configuring multiple OIDC providers simultaneously. To do this, replace the AUTH_OIDC_ prefix with AUTH_OIDC_<NAME>_.
Example with Pocket
AUTH_OIDC_POCKET_ID="portabase-pocketid"
AUTH_OIDC_POCKET_TITLE="Pocket ID"
AUTH_OIDC_POCKET_DESC=""
AUTH_OIDC_POCKET_ICON="https://github.com/user-attachments/assets/4ceb2708-9f29-4694-b797-be833efce17d"
AUTH_OIDC_POCKET_CLIENT="portabase"
AUTH_OIDC_POCKET_SECRET="dkNOnQwhDQVwLxoNbQOkJioMA3sQIPdk"
AUTH_OIDC_POCKET_ISSUER_URL="http://localhost:3055"
AUTH_OIDC_POCKET_HOST="localhost:8080"Using a specific prefix allows isolating configurations if you use multiple identity servers.
Configuration Examples
Learn how to integrate specific solutions:
Learn how to configure Keycloak with Portabase for enterprise identity management. View the full guide
A lightweight alternative for self-hosters. View the full guide
Groups and Roles
You can restrict Portabase access to a specific group from your OIDC provider via the ALLOWED_GROUP variable. If the user does not belong to this group, login will be denied.