Skip to Content
Sso Oauth Oidc

Last Updated: 3/7/2026

SSO (Single-Sign-On) with OAuth or OIDC

Table of Contents

You can connect LinkAce with an OAuth or OIDC provider to manage your users at a central place and let them login to LinkAce with a single click. No separate registration needed. No duplicate passwords to save.

LinkAce supports various OAuth or OIDC providers.

Supported providers

  • Generic OIDC provider
  • Auth0
  • Authelia
  • Authentik
  • AWS Cognito
  • FusionAuth
  • Google
  • GitHub
  • GitLab
  • Keycloak
  • Microsoft Azure
  • Okta
  • Zitadel

General Configuration

To enable and configure Single Sign On, add the following configuration to your .env file. Please note that every SSO provider has its own configuration which must be added to the .env file and properly set up if you want to use it.

ConfigPossible OptionsDefaultDescription
SSO_ENABLEDtrue/falsefalseEnable SSO authentication via OAuth or OIDC
SSO_REGISTRATION_ENABLEDtrue/falsetrueIf set to false, users must have an existing SSO-enabled account to be able to login.
REGULAR_LOGIN_DISABLEDtrue/falsefalseDisable the regular login form and user management.

User handling

While a user tries to login with any SSO provider, this is how the user account is handled:

  • If a user with the same email address already exists, but no SSO details are present yet, this user is automatically connected to the user provided by the SSO provider. An internal ID is stored for that user.
  • If a user with the same email address already exists and SSO details are present, the user is logged in and those fields are updated:
    • user name
    • authentication token (if applicable)
  • If no user with the same email address exists, a new user is registered and the user is automatically logged in.

If you disable your SSO provider after users registered with it, those users must manually reset their password via the regular password reset feature.

Example Configuration

SSO_ENABLED=true REGULAR_LOGIN_DISABLED=true SSO_AUTH0_ENABLED=true SSO_AUTH0_BASE_URL=https://example.auth0.com/ SSO_AUTH0_CLIENT_ID=W+qVVdlLP32a2F..... SSO_AUTH0_CLIENT_SECRET=U5qo0Le2stKK2vO87TTl.....

After adding this to your .env file, the regular login form vanishes and a button to login with Auth0 will show up when users try to login.

Callback URL is https://[[YOUR.LINKACE.INSTALL]]/auth/sso/[[SERVICE]]/callback (replace service with whatever comes between SSO_[[SERVICE]]_ENABLED in your .env file)

Provider Configuration

Generic OpenID Connect Provider

ConfigDefaultDescription
SSO_OIDC_ENABLEDfalseEnable SSO authentication for OIDC
SSO_OIDC_BASE_URLThe OIDC base URL (details see below)
SSO_OIDC_CLIENT_IDThe OIDC client ID
SSO_OIDC_CLIENT_SECRETThe OIDC client secret
SSO_OIDC_SCOPESAdditional scopes sent to the OIDC provider

The base URL must be set to the OpenID Configuration URL, but excluding the .well-known/openid-configuration part. Example: If https://auth.company.com/application/linkace/.well-known/openid-configuration is your OIDC configuration URL, then https://auth.company.com/application/linkace must be your base URL.

Auth0

ConfigDefaultDescription
SSO_AUTH0_ENABLEDfalseEnable SSO authentication for Zitadel
SSO_AUTH0_BASE_URLThe Auth0 base URL
SSO_AUTH0_CLIENT_IDThe Auth0 client ID
SSO_AUTH0_CLIENT_SECRETThe Auth0 client secret

Authelia

OIDC with Authelia works with the generic OIDC config. The critical succesfactor is the Authelia config, where PKCE needs to be disabled.

configuration.yml (Authelia)

identity_providers: identity_providers: identity_providers oidc:  oidc: oidc clients:  clients: clients - client_id: 'linkace'  - client_id: 'linkace' client_id 'linkace' client_name: 'linkace'  client_name: 'linkace' client_name 'linkace' client_secret: '[DIGEST OF SSO_OIDC_CLIENT_SECRET]'  client_secret: '[DIGEST OF SSO_OIDC_CLIENT_SECRET]' client_secret'[DIGEST OF SSO_OIDC_CLIENT_SECRET]' public: false  public: false public false authorization_policy: 'two_factor'  authorization_policy: 'two_factor' authorization_policy 'two_factor' require_pkce: false  require_pkce: false require_pkce false redirect_uris:  redirect_uris: redirect_uris - 'https://linkace.example.com/auth/sso/oidc/callback'  - 'https://linkace.example.com/auth/sso/oidc/callback' 'https://linkace.example.com/auth/sso/oidc/callback' scopes:  scopes: scopes - 'openid'  - 'openid' 'openid' - 'groups'  - 'groups' 'groups' - 'email'  - 'email' 'email' - 'profile'  - 'profile' 'profile' response_types:  response_types: response_types - 'code'  - 'code' 'code' grant_types:  grant_types: grant_types - 'authorization_code'  - 'authorization_code' 'authorization_code' - 'refresh_token'  - 'refresh_token' 'refresh_token' access_token_signed_response_alg: 'none'  access_token_signed_response_alg: 'none' access_token_signed_response_alg 'none' userinfo_signed_response_alg: 'none'  userinfo_signed_response_alg: 'none' userinfo_signed_response_alg 'none' token_endpoint_auth_method: 'client_secret_post'  token_endpoint_auth_method: 'client_secret_post' token_endpoint_auth_method 'client_secret_post'

LinkAce configuration

ConfigDefaultDescription
SSO_OIDC_ENABLEDfalseEnable SSO authentication for OIDC
SSO_OIDC_BASE_URLThe OIDC base URL (details see below)
SSO_OIDC_CLIENT_IDThe OIDC client ID
SSO_OIDC_CLIENT_SECRETThe OIDC client secret
SSO_OIDC_SCOPESAdditional scopes sent to the OIDC provider

Authentik

ConfigDefaultDescription
SSO_AUTHENTIK_ENABLEDfalseEnable SSO authentication for Authentik
SSO_AUTHENTIK_BASE_URLThe Authentik base URL
SSO_AUTHENTIK_CLIENT_IDThe Authentik client ID
SSO_AUTHENTIK_CLIENT_SECRETThe Authentik client secret

AWS Cognito

ConfigDefaultDescription
SSO_COGNITO_ENABLEDfalseEnable SSO authentication for Cognito
SSO_COGNITO_HOSTThe Cognito base URL
SSO_COGNITO_CLIENT_IDThe Cognito client ID
SSO_COGNITO_CLIENT_SECRETThe Cognito client secret
SSO_COGNITO_LOGIN_SCOPEComma-separated list of login scopes
SSO_COGNITO_SIGN_OUT_URLWhere to redirect to in LinkAce after logging out

FusionAuth

ConfigDefaultDescription
SSO_FUSIONAUTH_ENABLEDfalseEnable SSO authentication for FusionAuth
SSO_FUSIONAUTH_BASE_URLThe FusionAuth base URL
SSO_FUSIONAUTH_CLIENT_IDThe FusionAuth client ID
SSO_FUSIONAUTH_CLIENT_SECRETThe FusionAuth client secret

Google

ConfigDefaultDescription
SSO_GOOGLE_ENABLEDfalseEnable SSO authentication for Google
SSO_GOOGLE_CLIENT_IDThe Google client ID
SSO_GOOGLE_CLIENT_SECRETThe Google client secret

GitHub

ConfigDefaultDescription
SSO_GITHUB_ENABLEDfalseEnable SSO authentication for GitHub
SSO_GITHUB_CLIENT_IDThe GitHub client ID
SSO_GITHUB_CLIENT_SECRETThe GitHub client secret

GitLab

ConfigDefaultDescription
SSO_GITLAB_ENABLEDfalseEnable SSO authentication for GitLab
SSO_GITLAB_HOSThttps://gitlab.comThe GitLab base URL
SSO_GITLAB_BASE_URLThe GitLab base URL
SSO_GITLAB_CLIENT_IDThe GitLab client ID
SSO_GITLAB_CLIENT_SECRETThe GitLab client secret

Keycloak

ConfigDefaultDescription
SSO_KEYCLOAK_ENABLEDfalseEnable SSO authentication for Keycloak
SSO_KEYCLOAK_BASE_URLThe Keycloak base URL
SSO_KEYCLOAK_CLIENT_IDThe Keycloak client ID
SSO_KEYCLOAK_CLIENT_SECRETThe Keycloak client secret
SSO_KEYCLOAK_REALMThe Keycloak realm

Microsoft Azure

ConfigDefaultDescription
SSO_AZURE_ENABLEDfalseEnable SSO authentication for Azure
SSO_AZURE_CLIENT_IDThe Azure client ID
SSO_AZURE_CLIENT_SECRETThe Azure client secret
SSO_AZURE_TENANT_IDThe Azure tenant ID

Okta

ConfigDefaultDescription
SSO_OKTA_ENABLEDfalseEnable SSO authentication for Okta
SSO_OKTA_BASE_URLThe Okta base URL
SSO_OKTA_CLIENT_IDThe Okta client ID
SSO_OKTA_CLIENT_SECRETThe Okta client secret

Zitadel

ConfigDefaultDescription
SSO_ZITADEL_ENABLEDfalseEnable SSO authentication for Zitadel
SSO_ZITADEL_CLIENT_IDThe Zitadel Client ID
SSO_ZITADEL_CLIENT_SECRETThe Zitadel Client Secret
SSO_ZITADEL_BASE_URLThe Zitadel base URL
SSO_ZITADEL_ORGANIZATION_IDThe Zitadel organization ID
SSO_ZITADEL_PROJECT_IDThe Zitadel project ID
SSO_ZITADEL_POST_LOGOUT_REDIRECT_URI/Where to redirect to in LinkAce after logging out
User ManagementExport