# OIDC/OAuth2

ConsoleMe can directly authenticate users against an OIDC identity provider. We have an example configuration [here](https://github.com/Netflix/consoleme/blob/master/example_config/example_config_oidc.yaml).

The settings that must be defined for the OIDC flow to work are as follows:

```
auth:
  get_user_by_oidc: true
  force_redirect_to_identity_provider: false
  set_auth_cookie: true

get_user_by_oidc_settings:
  resource: <REPLACE>
  metadata_url: https://dev-123456.okta.com/oauth2/default/.well-known/oauth-authorization-server
  # If you have a metadata URL and it returns JSON with authorization_endpoint, token_endpoint, and jwks_uri, you do
  # not need to specify those values in the configuration.
  #authorization_endpoint: https://dev-123456.okta.com/oauth2/default/v1/authorize
  #token_endpoint: https://dev-123456.okta.com/oauth2/default/v1/token
  #jwks_uri: https://dev-123456.okta.com/oauth2/default/v1/keys
  jwt_verify: true
  jwt_email_key: email
  jwt_groups_key: groups
  grant_type: authorization_code
  id_token_response_key: id_token
  access_token_response_key: access_token
  access_token_audience: "consoleme"

oidc_secrets:
  client_id: <REPLACE>
  secret: <REPLACE>
  client_scope:
    - email
    - groups
    - openid
```

## Steps

1. Update ConsoleMe's configuration with your configuration parameters (This is under `get_user_by_oidc_settings`). [Example](https://github.com/Netflix/consoleme/blob/master/example_config/example_config_oidc.yaml)
2. Update ConsoleMe's configuration with your client ID, client secret, and scopes. (This is under `oidc_secrets`).[ Example](https://github.com/Netflix/consoleme/blob/master/example_config/example_secrets.yaml)
3. Start ConsoleMe with your desired configuration, and test the flow:

```bash
CONFIG_LOCATION=example_config/example_config_oidc.yaml python consoleme/__main__.py
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hawkins.gitbook.io/consoleme/configuration/authentication-and-authorization/oidc-oauth2-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.