# OpenID Connect

{% hint style="info" %}
This feature is only available for Bindplane Enterprise and Google Editions.
{% endhint %}

{% hint style="warning" %}
Changing the Authentication type on the Bindplane server will automatically remove all existing users and permissions. The first user to log in after the change will become an Organization Admin and owner of all existing Projects. Subsequent users will need to be re-invited to their respective projects.
{% endhint %}

### 1. Prerequisites

Before beginning, ensure you have the following:

* An OpenID Connect (OIDC) provider configured and available.
* OAuth2 Client ID and Client Secret from your OIDC provider.

### 2. Identity Provider Configuration

Each Identity Provider will have different steps for configuring an OIDC application. Below are details commonly needed for most configurations.

* Bindplane uses an **Authorization Code** flow
* **Redirect URI**: \<remoteURL/webURL>**/oidc/redirect**

### 3. Bindplane Server Configuration

#### Configuration Steps

1. Open the Bindplane configuration file (by default at `/etc/bindplane/config.yaml`).
2. Add or modify the following OIDC configuration settings:

```yaml
auth:
  type: oidc
  oidc:
    issuer: "https://your-oidc-provider.com"
    oauth2ClientID: "your-client-id"
    oauth2ClientSecret: "your-client-secret"
    scopes:
      - openid
      - profile
      - email
```

3. Replace the placeholder values:
   * `issuer`: Your OIDC provider's URL
   * `oauth2ClientID`: OAuth2 client ID from your OIDC provider
   * `oauth2ClientSecret`: OAuth2 client Secret from your OIDC provider
4. Restart Bindplane to apply the changes:

```bash
systemctl restart bindplane
```

### Environment Variables

The same settings can also be provided using environment vairables:

```
BINDPLANE_OIDC_OAUTH2_CLIENT_ID=your-client-id
BINDPLANE_OIDC_OAUTH2_CLIENT_SECRET=your-client-secret
BINDPLANE_OIDC_ISSUER=https://your-oidc-provider.com
BINDPLANE_OIDC_SCOPES=openid,profile,email
```

### 4. User Enrollment

After configuration, users will be redirected to your OIDC provider for authentication when accessing Bindplane.

The first user account that logs in after configuration will be automatically created as the Organization Admin. Subsequent users will need to be invited or manually added to a Project before they are able to login using OIDC. For more details on adding additional users see:

* [Invite Users to a Project](https://docs.bindplane.com/configuration/bindplane/authentication/broken-reference)
* [Add Users using the Bindplane CLI](https://docs.bindplane.com/cli-and-api/cli)