OIDC Configuration (Universal SSO)#
Runabot supports multiple OIDC providers (Google, Microsoft, Keycloak, etc.) via Ory Kratos. Configuration is managed entirely through SOPS secrets.
1. Configure SOPS#
Add your providers to the oidc_providers list in your environment’s SOPS file (pulumi/sops/secrets/<env>.json).
Example: Google SSO#
{
"runabot": {
"oidc_providers": [
{
"id": "google",
"provider": "google",
"label": "Sign in with Google",
"client_id": "CLIENT_ID_HERE",
"client_secret": "CLIENT_SECRET_HERE",
"mapper_url": "file:///etc/config/kratos/oidc.google.json",
"scope": ["email", "profile", "openid"]
}
]
}
}Example: Microsoft (Azure AD)#
{
"runabot": {
"oidc_providers": [
{
"id": "microsoft",
"provider": "microsoft",
"label": "Sign in with Microsoft",
"client_id": "CLIENT_ID_HERE",
"client_secret": "CLIENT_SECRET_HERE",
"microsoft_tenant": "organizations",
"mapper_url": "file:///etc/config/kratos/oidc.microsoft.json",
"scope": ["email", "profile", "openid"]
}
]
}
}Example: Generic OIDC (Keycloak/Okta)#
{
"runabot": {
"oidc_providers": [
{
"id": "my-sso",
"provider": "generic",
"label": "Company SSO",
"client_id": "CLIENT_ID_HERE",
"client_secret": "CLIENT_SECRET_HERE",
"issuer_url": "https://sso.example.com/realms/master",
"mapper_url": "file:///etc/config/kratos/oidc.generic.json"
}
]
}
}2. Redirect URIs#
Ensure your identity provider has the correct Authorized Redirect URI:
https://<your-domain>/_auth/kratos/self-service/methods/oidc/callback/<provider_id>
For the examples above:
- Google:
.../callback/google - Microsoft:
.../callback/microsoft - Generic:
.../callback/my-sso
3. Standard Mappers#
Runabot provides built-in Jsonnet mappers for common providers:
file:///etc/config/kratos/oidc.google.jsonfile:///etc/config/kratos/oidc.microsoft.jsonfile:///etc/config/kratos/oidc.generic.json