mise-server

Appearance

OIDC / SSO

Configure an OpenID Connect provider for enterprise single sign-on.

Configuration

toml
[settings]
oidc_issuer = "https://accounts.google.com"
oidc_client_id = "your-client-id"
oidc_client_secret = "your-client-secret"
oidc_token_ttl = "90d"
bash
export MISE_SERVER_OIDC_ISSUER=https://accounts.google.com
export MISE_SERVER_OIDC_CLIENT_ID=your-client-id
export MISE_SERVER_OIDC_CLIENT_SECRET=your-client-secret
export MISE_SERVER_OIDC_TOKEN_TTL=90d

Supported Providers

Any OIDC-compliant identity provider works, including:

  • Google
  • Okta
  • Azure AD (Entra ID)
  • GitHub
  • GitLab
  • Auth0
  • Keycloak

Login Flow

  1. User visits GET /auth/login
  2. Redirected to the OIDC provider
  3. After authentication, callback hits GET /auth/callback
  4. mise-server provisions a user and issues an API token
  5. Token is valid for oidc_token_ttl (default: 90 days)

Token TTL

The oidc_token_ttl setting controls how long OIDC-provisioned tokens remain valid. Accepts duration strings like 90d, 24h, or 3600s.

Licensed under FSL-1.1-ALv2. Maintained by @jdx.

Copyright © 2026 @jdx