OIDC Authentication

Published: October 8, 2025

Last updated: April 20, 2026

Integrate with OpenID Connect providers for single sign-on.

Basic Setup

YAML
1
2
3
4
5
6
7
8
9
auth:
  methods:
    oidc:
      enabled: true
      clientId: "filebrowser-client"
      clientSecret: "xxx"  # Use environment variable
      issuerUrl: "https://sso.example.com/application/o/filebrowser/"
      scopes: "openid email profile"
      userIdentifier: "preferred_username"

If you need group claims, add them to scopes (for example groups) per your provider.

info

Note: Its common to configure a source with denyByDefault and use access rules to enable group based access for OIDC users.

Configuration Options

Option	Description
`enabled`	Enable OIDC authentication
`clientId`	OIDC client ID
`clientSecret`	OIDC client secret (use env var)
`issuerUrl`	OIDC provider URL
`scopes`	Requested scopes
`userIdentifier`	User field (`preferred_username`, `email`, `username`, `phone`)
`adminGroup`	OIDC group name for admin rights
`userGroups`	List of allowed groups (empty = allow all)
`groupsClaim`	JSON field for groups (default: `groups`)
`disableVerifyTLS`	Disable TLS verification (testing only!)
`logoutRedirectUrl`	Provider logout URL

Defaults (when omitted): groupsClaim is groups, userIdentifier is preferred_username, and scopes defaults to openid email profile.

warning

Deprecated: createUser in this block is deprecated — omit it; new users are created automatically when OIDC login succeeds.

Issuer URL Examples

Authentik:

`1`	`https://domain.com/application/o/filebrowser/`

Pocket ID/Authelia:

`1`	`https://domain.com`

Callback URL

Append /api/auth/oidc/callback to the end of your base URL to get FileBrowser’s OIDC callback URL.

Configure in your OIDC provider:

`1`	`https://your-domain.com/api/auth/oidc/callback`

If you use a custom baseURL in your config.yaml:

`1`	`https://your-domain.com/custom-base/api/auth/oidc/callback`

Auto-Redirect

When OIDC is the only auth method, users are automatically redirected to the OIDC provider.

YAML
1
2
3
4
5
6
auth:
  methods:
    password:
      enabled: false
    oidc:
      enabled: true

Provider Examples

Authentik

Typical settings when Authentik exposes groups and an optional admin group mapping:

YAML
1
2
3
4
5
6
7
8
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com/application/o/filebrowser/"
      adminGroup: "authentik Admins"

Authelia

Minimal Authelia client configuration:

YAML
1
2
3
4
5
6
7
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com"

Group-Based Access Control

Admin Group

Grant admin privileges to users in a specific OIDC group:

YAML
1
2
3
4
5
6
7
8
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com"
      adminGroup: "FileBrowser Admins"

Only allow users in specific OIDC groups to access FileBrowser:

YAML
1
2
3
4
5
6
7
8
auth:
  methods:
    oidc:
      enabled: true
      clientId: "xxx"
      clientSecret: "xxx"
      issuerUrl: "https://auth.example.com"
      userGroups: ["FileBrowser Users", "guests"]

Users not in these groups will be denied access even with valid OIDC authentication.

Next Steps

No Authentication

Password Authentication

OIDC Authentication

Basic Setup link

Configuration Options link

Issuer URL Examples link

Callback URL link

Auto-Redirect link

Provider Examples link

Authentik link

Authelia link

Group-Based Access Control link

Admin Group link

Restrict login to Specific Groups link

Next Steps link