OIDC / SSO

ApiMeld supports single sign-on via OpenID Connect (OIDC). When enabled, a "Sign in with [Provider]" button appears on the login page alongside the username/password form.

One OIDC provider can be configured at a time.

Configuration

Go to Admin → Settings → Auth and enable OIDC:

Field	Description
Enable OIDC	Show the SSO button on the login page
Provider Name	Label shown on the login button (e.g. "Google", "Azure AD", "Keycloak")
Authority URL	The OIDC discovery URL base (e.g. https://accounts.google.com)
Client ID	Your app's client ID from the provider
Client Secret	Your app's client secret (stored encrypted)

Setting up common providers

Google

1. Go to Google Cloud Console → APIs & Services → Credentials
2. Create an OAuth 2.0 Client ID (Web application)
3. Add your redirect URI: https://tasks.example.com/api/auth/oidc/callback
4. Copy the Client ID and Client Secret into ApiMeld
5. Set Authority URL to https://accounts.google.com

Azure Active Directory / Entra ID

1. In the Azure portal, register a new app in Azure Active Directory → App registrations
2. Set the redirect URI to https://tasks.example.com/api/auth/oidc/callback
3. Create a client secret under Certificates & secrets
4. Set Authority URL to https://login.microsoftonline.com/{tenant-id}/v2.0

Keycloak

1. Create a new client in your Keycloak realm
2. Set the redirect URI to https://tasks.example.com/api/auth/oidc/callback
3. Set Authority URL to https://your-keycloak.com/realms/{realm-name}

User provisioning

When a user signs in via OIDC for the first time, ApiMeld creates an account for them automatically. They are assigned the User role by default. An admin can promote them to Admin from Admin → Users.

Registration mode interaction

OIDC sign-in works regardless of the registration mode setting (invite-only or open). If you want to allow OIDC sign-in but block self-registration via the form, set registration to invite-only and enable OIDC.