Generic OIDC Setup¶
This guide covers configuring AgentCube with any OIDC-compliant identity provider — Okta, Auth0, Keycloak, or others.
Prerequisites¶
- An OIDC-compliant identity provider with admin access
- The provider must support the Authorization Code flow
- The provider must include
emailorpreferred_usernamein token claims
Step 1: Create an Application¶
In your identity provider's admin console:
- Create a new application (Web application type)
- Set the redirect URI / callback URL to:
- Enable the Authorization Code grant type
- Configure the application to include
emailorpreferred_usernamein ID token claims
Multiple connectors
Add a redirect URI for each connector you deploy (e.g., one for Essbase, one for Planning).
Step 2: Note Discovery URL¶
Locate your provider's OpenID Connect discovery endpoint. This is typically:
Provider-specific examples:
| Provider | Discovery URL Pattern |
|---|---|
| Okta | https://{okta_domain}/oauth2/default/.well-known/openid-configuration |
| Auth0 | https://{auth0_domain}/.well-known/openid-configuration |
| Keycloak | https://{keycloak_host}/realms/{realm}/.well-known/openid-configuration |
Step 3: Record Configuration Values¶
| IdP Value | Environment Variable |
|---|---|
| Discovery URL | OIDC_CONFIG_URL |
| Client ID | OIDC_CLIENT_ID |
| Client secret | OIDC_CLIENT_SECRET |
Optional:
| IdP Value | Environment Variable | Default |
|---|---|---|
| Scopes | OIDC_SCOPES | openid,profile,email |
Step 4: Verify Token Claims¶
Ensure your identity provider returns at least one of these claims in the ID token:
email— most common for Okta, Auth0preferred_username— common for Keycloaksub— universal fallback
The claim value must match the username in your OCI Identity Domain (see OCI Identity Domain Setup).
Next Steps¶
- Set up OCI Identity Domain for Oracle token exchange
- Generate the signing key
- Configure environment variables