OIDC Configuration Guide

Runabot uses Ory Kratos for identity management. To enable "Login with Google" or "Login with Microsoft (Azure AD)", you must configure Kratos OIDC providers.

Prerequisites

• Access to the Runabot API container or Helm values.
• Client ID and Client Secret from your Identity Provider.

1. Google Configuration

1. Go to Google Cloud Console.
2. Create an OAuth 2.0 Client ID (Web application).
3. Authorized Redirect URIs: https://runabot.de/_auth/kratos/self-service/methods/oidc/callback/google
4. Copy Client ID and Secret.

Kratos Config (kratos.yml)

Add the following to your Kratos config (or via Helm values):

selfservice:
  methods:
    oidc:
      enabled: true
      config:
        providers:
          - id: google
            provider: google
            client_id: "YOUR_CLIENT_ID"
            client_secret: "YOUR_CLIENT_SECRET"
            mapper_url: "file:///etc/config/kratos/oidc.google.jsonnet"
            scope:
              - email
              - profile

Mapper (oidc.google.jsonnet):

local claims = std.extVar('claims');
{
  identity: {
    traits: {
      email: claims.email,
      name: {
        first: claims.given_name,
        last: claims.family_name,
      },
    },
  },
}

2. Azure AD (Microsoft) Configuration

1. Go to Azure Portal > App registrations.
2. New Registration.
3. Redirect URI: https://runabot.de/_auth/kratos/self-service/methods/oidc/callback/microsoft
4. Create Client Secret in "Certificates & secrets".

Kratos Config

selfservice:
  methods:
    oidc:
      config:
        providers:
          - id: microsoft
            provider: microsoft
            client_id: "YOUR_CLIENT_ID"
            client_secret: "YOUR_CLIENT_SECRET"
            microsoft_tenant: "YOUR_TENANT_ID" # or "common"
            mapper_url: "file:///etc/config/kratos/oidc.microsoft.jsonnet"
            scope:
              - email
              - profile

References

• Ory Kratos Social Sign-In
• Google Guide
• Microsoft Guide