OpenID Connect

This feature is available only with a valid FileFlows license.

OpenID Connect (OIDC) is a form of single sign-on (SSO) that allows users to authenticate with an external Identity Provider (IdP) instead of managing separate credentials for FileFlows.

It provides secure authentication while enabling FileFlows to receive user identity and group information.

Configuration

You can configure OIDC in the Web Console or via environment variables, which is useful for Docker deployments or automated configuration.

The main configuration fields are:

Authority

The base URL of your Identity Provider (IdP).
FileFlows retrieves metadata and endpoints from this URL.

Client Id

The client identifier assigned to FileFlows by your IdP.

Client Secret

The secret associated with the above client ID.
Used by FileFlows to authenticate with the IdP.

Callback Address

The Callback Address is the main URL of your FileFlows instance that the Identity Provider (IdP) will use to redirect users after authentication.

This should be the public URL that users access FileFlows from, for example:

https://fileflows.mydomain.com

FileFlows will automatically append "/oidc/callback" to this URL for the OAuth2 redirect, so you do not need to include the full callback path when configuring this field.

It is important to set this correctly, especially if FileFlows is running behind a reverse proxy.
For example, if FileFlows is listening internally on http://10.0.0.1:19200, you should not use that internal URL — the IdP needs the URL that users actually access publicly.

This full callback URL (https://fileflows.mydomain.com/oidc/callback) is what you should enter in your Identity Provider when registering FileFlows as an OAuth2 client.

Required Group

If set, users must belong to this group in the IdP to access FileFlows.

Using Environment Variables

The same fields can be set using environment variables:

OidcAuthority=https://auth.example.com/application/o/fileflows/
OidcClientId=fileflows
OidcClientSecret=YOUR_CLIENT_SECRET
OidcCallbackAddress=https://fileflows.example.com/
OidcRequiredGroup=FileFlowsUsers

Setting values via environment variables is optional but useful for Docker deployments, as it avoids modifying the Web Console manually.

Notes

Standard scopes requested by FileFlows: openid, profile, and email.
Additional scopes (e.g., groups) may be required if your IdP uses them to send group membership or roles.

Configuration​

Authority​

Client Id​

Client Secret​

Callback Address​

Required Group​

Using Environment Variables​

Notes​