OIDC
Concourse supports OpenID Connect (OIDC) for single sign-on with Google, Okta, Azure AD, Auth0, and any OIDC-compliant identity provider.
Configuration
Section titled “Configuration”auth: oidc: enabled: true issuer: https://accounts.google.com client_id: ${OIDC_CLIENT_ID} client_secret: ${OIDC_CLIENT_SECRET} redirect_uri: https://your-concourse.example.com/api/v1/auth/oidc/callback| Field | Description |
|---|---|
enabled | Set to true to enable OIDC. |
issuer | The OIDC issuer URL. Must serve a /.well-known/openid-configuration document. |
client_id | Client ID from your identity provider. |
client_secret | Client secret from your identity provider. |
redirect_uri | The callback URL. Must match what is registered with the IdP. |
Authentication flow
Section titled “Authentication flow”- The inboard app directs the user to
GET /api/v1/auth/oidc/authorize. - Concourse redirects the user to the identity provider’s authorization endpoint.
- The user authenticates with the IdP.
- The IdP redirects back to
/api/v1/auth/oidc/callbackwith an authorization code. - Concourse exchanges the code for an ID token, extracts user claims, and issues a JWT.
Provider setup
Section titled “Provider setup”- Go to the Google Cloud Console and create an OAuth 2.0 credential.
- Set the authorized redirect URI to
https://your-concourse.example.com/api/v1/auth/oidc/callback. - Use the issuer
https://accounts.google.com.
auth: oidc: enabled: true issuer: https://accounts.google.com client_id: ${OIDC_CLIENT_ID} client_secret: ${OIDC_CLIENT_SECRET} redirect_uri: https://your-concourse.example.com/api/v1/auth/oidc/callback- In the Okta Admin Console, create a new OIDC Web Application integration.
- Set the sign-in redirect URI to
https://your-concourse.example.com/api/v1/auth/oidc/callback. - The issuer is your Okta org URL.
auth: oidc: enabled: true issuer: https://your-org.okta.com client_id: ${OIDC_CLIENT_ID} client_secret: ${OIDC_CLIENT_SECRET} redirect_uri: https://your-concourse.example.com/api/v1/auth/oidc/callbackAzure AD (Entra ID)
Section titled “Azure AD (Entra ID)”- In the Azure portal, register a new application under Entra ID.
- Add a redirect URI of type “Web”:
https://your-concourse.example.com/api/v1/auth/oidc/callback. - Create a client secret under “Certificates & secrets”.
- The issuer includes your tenant ID.
auth: oidc: enabled: true issuer: https://login.microsoftonline.com/{tenant-id}/v2.0 client_id: ${OIDC_CLIENT_ID} client_secret: ${OIDC_CLIENT_SECRET} redirect_uri: https://your-concourse.example.com/api/v1/auth/oidc/callback- In the Auth0 dashboard, create a Regular Web Application.
- Set the allowed callback URL to
https://your-concourse.example.com/api/v1/auth/oidc/callback. - The issuer is your Auth0 tenant domain.
auth: oidc: enabled: true issuer: https://your-tenant.auth0.com client_id: ${OIDC_CLIENT_ID} client_secret: ${OIDC_CLIENT_SECRET} redirect_uri: https://your-concourse.example.com/api/v1/auth/oidc/callbackChecking OIDC status
Section titled “Checking OIDC status”To verify OIDC is configured:
curl http://localhost:8080/api/v1/auth/oidc/statusReturns {"enabled": true} or {"enabled": false}.
Auto-provisioning
Section titled “Auto-provisioning”When a user signs in via OIDC for the first time and no matching account exists, Concourse automatically creates a user with the member role. The email and name are extracted from the ID token claims. See Attribute Mapping for details.