OpenID

In this article, we will provide a general overview of how to connect your identity provider with OpenID. However, we also have dedicated documentation for connecting with popular identity providers such as Google, Okta, and Azure AD.

Configuring SSO for UI Bakery involves two main steps:

• Configuring integration in your identity provider;

• Configuring SSO in your UI Bakery instance using environment variables.

Configure UI Bakery integration in your identity provider

The configuration process may vary depending on your chosen identity provider, but there are some common considerations to keep in mind.

1. UI Bakery supports only the Authorization Code Flow.

2. The redirect callback is https://YOUR_INSTANCE/auth/oauth2/callback

UI Bakery instance configuration

To enable UI Bakery to use your OpenID provider, set the following environment variables:

UI_BAKERY_OAUTH_CLIENT_ID=0oa3deycosL4fFEvx5d0
UI_BAKERY_OAUTH_SECRET=sO8BPgTb5MVs9kS37Qoml5sCEK7faFX78VDP2E3q
UI_BAKERY_OAUTH_SCOPE=openid email offline_access profile
UI_BAKERY_OAUTH_AUTH_URL=https://mybakery.okta.com/oauth2/v1/authorize
UI_BAKERY_OAUTH_TOKEN_URL=https://mybakery.okta.com/oauth2/v1/token
UI_BAKERY_OAUTH_USERINFO_URL=https://mybakery.okta.com/oauth2/v1/userinfo

For some providers, you may need to configure additional variables:

1. If you need to pass additional parameters to the token endpoint, use the variable UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS={"entity_id": "asd"}

2. By default, UI Bakery expects the email field to exist in the user info response. If the email is placed in another field, you can adjust it using the variable UI_BAKERY_OAUTH_EMAIL_KEY, for example, UI_BAKERY_OAUTH_EMAIL_KEY=myemail.

3. By default, UI Bakery expects the sub (subject) field to exist in the user info response. If the user ID is placed in another field, you can adjust it using the variable UI_BAKERY_OAUTH_ID_KEY, for example, UI_BAKERY_OAUTH_ID_KEY=myid.

Disabling MFA from UI Bakery

UI Bakery allows you to enable MFA on the UI Bakery level. When enabled, it is required for:

• users signing in with email/password

• users signing in via SSO (OpenID)

But some SSO providers may also enforce their own MFA, so users will have to complete two MFA prompts: from the SSO provider and from UI Bakery. To avoid this and let users complete only their SSO MFA, you need to configure the following variable: UI_BAKERY_OAUTH_DISABLE_MFA=true.

With this variable set to true:

• SSO users will only complete MFA handled by the SSO provider

• Email/password users will complete MFA handled by UI Bakery

Using SSO token in data source requests

If you have connected OpenID SSO, you can use the user token to authenticate data source requests. To enable this feature, set the env variable UI_BAKERY_SSO_BROADCAST_TOKEN to true. Once this variable is set, you can use placeholders UI_BAKERY_SSO_TOKEN and UI_BAKERY_SSO_ID_TOKEN in your HTTP/GraphQL/OpenAPI data sources:\