OIDC Authentication

Integrate with OpenID Connect providers for single sign-on.

Basic Setup

YAML
1
2
3
4
5
6
7
8
9
auth:
  methods:
    oidc:
      enabled: true
      clientId: "filebrowser-client"
      clientSecret: "xxx"  # Use environment variable
      issuerUrl: "https://sso.example.com/application/o/filebrowser/"
      scopes: "email openid profile groups"
      userIdentifier: "preferred_username"

info

Note: Its common to configure a source with denyByDefault and use access rules to enable group based access for OIDC users.

Configuration Options

Option	Description
`enabled`	Enable OIDC authentication
`clientId`	OIDC client ID
`clientSecret`	OIDC client secret (use env var)
`issuerUrl`	OIDC provider URL
`scopes`	Requested scopes
`userIdentifier`	User field (`preferred_username`, `email`, `username`, `phone`)
`adminGroup`	OIDC group name for admin rights
`userGroups`	List of allowed groups (empty = allow all) - requires v1.3.x+
`groupsClaim`	JSON field for groups (default: `groups`)
`disableVerifyTLS`	Disable TLS verification (testing only!)
`logoutRedirectUrl`	Provider logout URL

Issuer URL Examples

Authentik:

`1`	`https://domain.com/application/o/filebrowser/`

Pocket ID/Authelia:

`1`	`https://domain.com`

Callback URL

Append /api/auth/oidc/callback to the end of your base URL to get FileBrowser’s OIDC callback URL.

Configure in your OIDC provider:

`1`	`https://your-domain.com/api/auth/oidc/callback`

If you a custom baseURL in your config.yaml:

`1`	`https://your-domain.com/custom-base/api/auth/oidc/callback`

Auto-Redirect

When OIDC is the only auth method, users are automatically redirected to the OIDC provider.

YAML
1
2
3
4
5
6
auth:
  methods:
    password:
      enabled: false
    oidc:
      enabled: true

Provider Examples

Authentik

YAML
1
2
3
4
5
6
7
8
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com/application/o/filebrowser/"
      adminGroup: "authentik Admins"

Authelia

YAML
1
2
3
4
5
6
7
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com"

Group-Based Access Control

Admin Group

Grant admin privileges to users in a specific OIDC group:

YAML
1
2
3
4
5
6
7
8
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com"
      adminGroup: "FileBrowser Admins"

info

requires version 1.3.x+

Only allow users in specific OIDC groups to access FileBrowser:

YAML
1
2
3
4
5
6
7
8
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com"
      userGroups: ["FileBrowser Users", "guests"]

Users not in these groups will be denied access even with valid OIDC authentication.

Next Steps

No Authentication

Password Authentication

OIDC Authentication

Basic Setup link

Configuration Options link

Issuer URL Examples link

Callback URL link

Auto-Redirect link

Provider Examples link

Authentik link

Authelia link

Group-Based Access Control link

Admin Group link

Restrict login to Specific Groups link

Next Steps link