Bevy supports Single Sign On via OpenID Connect which is a simple identity layer on top of the OAuth 2.0 protocol.
Requirements
To support Single Sign On via OpenID Connect, Bevy requires the following:
- The URL for the OpenID Connect discovery document
- It's common for OpenID Connect servers to serve a URL with the location of what's called a "Discovery Document". Usually, that URL is something like
https://example.com/.well-known/openid-configuration
.
- It's common for OpenID Connect servers to serve a URL with the location of what's called a "Discovery Document". Usually, that URL is something like
- The following set of keys via a secure channel:
- Client ID
- Client Secret
- Whitelist the redirect/callback URLs:
- Add callback URL for Bevy to test:
https://<client-id>-staging.bevylabs.com/accounts/oidc/callback/
- Here,
<client-id>
is the same ID used for the bevylabs.com subdomain.
- Here,
- Add a callback URL for your instance during onboarding:
https://<client-id>.bevylabs.com/accounts/oidc/callback/
- Add a callback URL for your final chosen domain that will be used when you go live with Bevy:
https://<your-domain>/accounts/oidc/callback/
- Add callback URL for Bevy to test:
- A scope list
- Usually, the scope list includes
openid
,profile
, andemail
- Usually, the scope list includes
- The SSO mapping configuration based on the data you include in your ID token for First Name, Last Name, Email. ID, Picture, and Full Name
- The table below is an example of SSO mapping configuration
First Name | given_name |
Last Name | family_name |
ID | sub |
Picture | picture |
Full Name | name |
Use https://<your-domain>/accounts/oidc/login/
to configure this provider for service provider-initiated SSO. For example, https:/bevy.com/accounts/oidc/login/
Support for PKCE
Bevy supports the PKCE Flow, which adds a Code Verifier and Code Challenge to the OpenID Connect Authentication Code process if your identity provider is configured for it.
To enable PKCE, request this option from your Bevy onboarding team.