Get Started
User Management
Templates
Development
OIDC Single Sign-On
Configure OIDC SSO for Arcane
PKCE Required
Arcane requires the use of PKCE for OIDC Authentication.
Recommended: Configure OIDC in the UI
The easiest way to set up OIDC is through Arcane's web interface:
- Go to Settings → Authentication in Arcane
- Enter your OIDC provider details (Issuer URL, Client ID, Client Secret, Redirect URI, etc)
- Save and test the connection
- The UI will guide you through any missing or invalid fields
OIDC users are auto-provisioned on first login. You can disable local login for stricter security.
All the OIDC Urls are discovered from the issuer url/the providers .well-known/openid-configuration endpoint. Make sure there is no trailing slash on the Issuer URL.
Alternative: Environment Variables
You can also configure OIDC using environment variables:
| Variable | Description | Default/Example |
|---|---|---|
OIDC_ENABLED | Enable OIDC login | false |
OIDC_CLIENT_ID | Client ID from your OIDC provider | your_arcane_client_id_from_provider |
OIDC_CLIENT_SECRET | Client Secret from provider | your_super_secret_client_secret_from_provider |
OIDC_ISSUER_URL | Issuer URL of your OIDC provider, No trailing slash. | https://your-provider.com |
OIDC_SCOPES | Scopes to request | openid email profile (default) |
Example docker-compose
services:
arcane:
# ... image, ports, volumes ...
environment:
# ....
- OIDC_ENABLED=true
- OIDC_CLIENT_ID="your_arcane_client_id_from_provider"
- OIDC_CLIENT_SECRET="your_super_secret_client_secret_from_provider"
- OIDC_ISSUER_URL="https://auth.example.com"
- OIDC_SCOPES=openid email profile Note: Environment variables always override UI settings. If the settings are configured from the Environment then removed from the environment, the values still stay in the database and OIDC is still configured, unless turned off via the UI.
Troubleshooting
For troubleshooting, check both your OIDC provider and Arcane logs for errors.