| title | slug | fullpath |
|---|---|---|
SSO Configuration |
sso_configuration |
/guides/sso_configuration |
This guide discusses the necessary configurations for SSO with OIDC in the server settings and provides some example configurations.
In the case of a misconfiguration or an issue with SSO, it may be helpful to bypass SSO in favor of local login. Local login is possible while SSO redirect is enabled by manually navigating to https://your.audiobookshelf.instance.com/login/?autoLaunch=0
Navigate to Settings > Authentication, then select the check box for OpenID Connect Authentication.
Audiobookshelf is able to automatically populate many of the fields required for OIDC using the OIDC discovery endpoint. Simply enter the URL for your OIDC provider or the URL for the discovery endpoint in the Issuer URL box and click the Auto-populate button.
Example URLs:
https://my.oidc.provider.com/https://my.oidc.provider.com/.well-known/openid-configuration
You will still need to provide the Client ID and Client Secret, as these are unique to Audiobookshelf and are not provided with OIDC discovery.
The Client ID and Client Secret function as a username and password for audiobookshelf to use with your OIDC provider. They must be generated or defined with your OIDC provider prior to use in audiobookshelf.
| Field | Required | Example | Description |
|---|---|---|---|
| Issuer URL | yes | https://your.oidc.instance.com | The URL which uniquely identifies an OIDC instance. The OIDC provider must know itself as this URL. |
| Authorize URL | yes | https://your.oidc.instance.com/api/oidc/authorization | |
| Token URL | yes | https://your.oidc.instance.com/api/oidc/token | |
| Userinfo URL | yes | https://your.oidc.instance.com/api/oidc/userinfo | |
| JWKS URL | yes | https://your.oidc.instance.com/jwks.json | |
| Logout URL | no | https://your.oidc.instance.com/logout | |
| Client ID | yes | audiobookshelf |
|
| Client Secret | yes | 0123abcdefgHIJKLMNOP.,!@$%^*?<... |
The "password" that audiobookshelf uses to authenticate with the OIDC provider. Authelia shares an overview of good practices |
| Button Text | no | Login with Google |
Hint to the user what OIDC provider is used. If nothing is specified defaults to Login with OpenID |
| Match existing users by | |||
| Auto Launch | |||
| Auto Register |
The steps needed to configure an OIDC provider will vary depending on which OIDC provider you choose. Example configurations are included below for your reference.
Configuring Authelia as an OIDC provider is covered well in the authelia docs, which should be treated as the source of truth. An example authelia configuration that is known to work is provided for reference.
Add the following to the authelia configuration.yml file:
identity_providers:
oidc:
hmac_secret: your_hmac_secret
issuer_private_key: |
-----BEGIN RSA PRIVATE KEY-----
... your private key here ...
-----END RSA PRIVATE KEY-----
access_token_lifespan: 7d
authorize_code_lifespan: 1m
id_token_lifespan: 7d
refresh_token_lifespan: 90m
enable_client_debug_messages: false
enforce_pkce: public_clients_only
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://your.audiobookshelf.instance.com
allowed_origins_from_client_redirect_uris: false
clients:
- id: audiobookshelf # this must match the client id provided to audiobookshelf
description: "Audiobookshelf"
secret: 'your_client_secret' # this must match the client secret provided to audiobookshelf
public: false
redirect_uris:
- https://your.audiobookshelf.instance.com/auth/openid/callback
scopes:
- openid
- profile
- email