File size: 1,446 Bytes
700a224 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# OpenID
By default, users are attributed a unique ID based on their browser session. To authenticate users with OpenID Connect, configure the following:
```ini
OPENID_CLIENT_ID=your_client_id
OPENID_CLIENT_SECRET=your_client_secret
OPENID_SCOPES="openid profile"
```
Use the provider URL for standard OpenID Connect discovery:
```ini
OPENID_PROVIDER_URL=https://your-provider.com
```
Advanced: you can also provide a client metadata document via `OPENID_CONFIG`. This value must be a JSON/JSON5 object (for example, a CIMD document) and is parsed server‑side to populate OpenID settings.
**Redirect URI:** `https://your-domain.com/login/callback`
## Access Control
Restrict access to specific users:
```ini
# Allow only specific email addresses
ALLOWED_USER_EMAILS=["user@example.com", "admin@example.com"]
# Allow all users from specific domains
ALLOWED_USER_DOMAINS=["example.com", "company.org"]
```
## Hugging Face Login
For Hugging Face authentication, you can use automatic client registration:
```ini
OPENID_CLIENT_ID=__CIMD__
```
This creates an OAuth app automatically when deployed. See the [CIMD spec](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) for details.
## User Token Forwarding
When users log in via Hugging Face, you can forward their token for inference:
```ini
USE_USER_TOKEN=true
```
## Auto-Login
Force authentication on all routes:
```ini
AUTOMATIC_LOGIN=true
```
|