Environment Variables Configuration

To enable OIDC integration in Teable, set the following environment variables in your .env file:

# OIDC configuration example (using Google as provider)
BACKEND_OIDC_CLIENT_ID=google_client_id

# Client secret provided by the OIDC provider (Google in this example)
BACKEND_OIDC_CLIENT_SECRET=google_client_secret

# URL where the OIDC provider will redirect after successful authentication
BACKEND_OIDC_CALLBACK_URL=https://app.teable.io/api/auth/oidc/callback

# Endpoint URL for retrieving authenticated user information
BACKEND_OIDC_USER_INFO_URL=https://openidconnect.googleapis.com/v1/userinfo

# Endpoint URL for obtaining access tokens
BACKEND_OIDC_TOKEN_URL=https://oauth2.googleapis.com/token

# Endpoint URL where users authenticate
BACKEND_OIDC_AUTHORIZATION_URL=https://accounts.google.com/o/oauth2/auth

# Identifier URL for the OIDC provider (Google in this example)
BACKEND_OIDC_ISSUER=https://accounts.google.com

# Additional OIDC configuration options in JSON format
BACKEND_OIDC_OTHER={"scope": ["email", "profile"]}

# Comma-separated list of supported social authentication providers
SOCIAL_AUTH_PROVIDERS=oidc

Configuration Details

  • BACKEND_OIDC_CLIENT_ID: Client ID provided by the OIDC provider for Teable.
  • BACKEND_OIDC_CLIENT_SECRET: Client secret provided by the OIDC provider for Teable.
  • BACKEND_OIDC_CALLBACK_URL: Teable’s callback URL. Set to https://app.teable.io/api/auth/oidc/callback. Ensure this matches the callback URL registered with your OIDC provider.
  • BACKEND_OIDC_USER_INFO_URL: Endpoint URL for retrieving user information from the OIDC provider.
  • BACKEND_OIDC_TOKEN_URL: Endpoint URL for obtaining access tokens from the OIDC provider.
  • BACKEND_OIDC_AUTHORIZATION_URL: Endpoint URL where users authenticate with the OIDC provider.
  • BACKEND_OIDC_ISSUER: Identifier URL of the OIDC provider.
  • BACKEND_OIDC_OTHER: Additional OIDC configuration options in JSON format. In this example, we request “email” and “profile” scopes.

Enabling OIDC Authentication in Teable

To enable OIDC as an authentication method in Teable, include “oidc” in the SOCIAL_AUTH_PROVIDERS environment variable:

SOCIAL_AUTH_PROVIDERS=github,google,oidc

This allows users to authenticate in Teable using OIDC, GitHub, and Google.

Important Notes

  1. Ensure all URLs use HTTPS protocol for security.
  2. Never hardcode these sensitive details directly into the Teable application in production. Always use environment variables or secure key management systems.
  3. Specific URLs and configurations may vary depending on your chosen OIDC provider (such as Google, Okta, Auth0, etc.). Refer to your OIDC provider’s documentation for accurate endpoint URLs and configuration requirements.
  4. When setting BACKEND_OIDC_OTHER, you may need to add additional parameters based on your requirements and OIDC provider support.
  5. The example in .env.example uses Google as the OIDC provider. If you use a different provider, make sure to update the URLs accordingly.

With proper configuration of these environment variables, your Teable application should successfully integrate OIDC authentication. If you encounter any issues, check your OIDC provider documentation and ensure all URLs and credentials are correct.

Example: Using Authentik as OIDC Provider

Follow these steps to configure Authentik as an OIDC provider for your Teable application:

  1. Log in to your Authentik admin panel and create a new OAuth2 Provider.
  2. In the OAuth2 Provider settings, set the redirect URI to match your BACKEND_OIDC_CALLBACK_URL. The format should be:
https://your-teable-domain.com/api/auth/oidc/callback
  1. After creating the OAuth2 Provider, you need to map Authentik configuration to Teable environment variables. Use the following correspondence:
    • Client ID → BACKEND_OIDC_CLIENT_ID
    • Userinfo URL → BACKEND_OIDC_USER_INFO_URL
    • Token URL → BACKEND_OIDC_TOKEN_URL
    • Authorize URL → BACKEND_OIDC_AUTHORIZATION_URL
    • OpenID Configuration Issuer → BACKEND_OIDC_ISSUER
  2. Generate a client secret in Authentik and set it as BACKEND_OIDC_CLIENT_SECRET in Teable environment variables.
  3. Update your Teable .env file with these values. Your configuration should look something like this: 
    SOCIAL_AUTH_PROVIDERS=oidc
BACKEND_OIDC_CLIENT_ID=your_authentik_client_id
BACKEND_OIDC_CLIENT_SECRET=your_generated_secret
BACKEND_OIDC_CALLBACK_URL=https://your-teable-domain.com/api/auth/oidc/callback
BACKEND_OIDC_USER_INFO_URL=https://your-authentik-domain.com/application/o/userinfo
BACKEND_OIDC_TOKEN_URL=https://your-authentik-domain.com/application/o/token
BACKEND_OIDC_AUTHORIZATION_URL=https://your-authentik-domain.com/application/o/authorize
BACKEND_OIDC_ISSUER=https://your-authentik-domain.com/application/o/teable
BACKEND_OIDC_OTHER={"scope": ["email", "profile"]}

Remember to replace your-teable-domain.com and your-authentik-domain.com with your actual domain names.

Following these steps, you should have successfully configured Authentik as an OIDC provider for your Teable application. Make sure to restart your Teable application after updating the environment variables for the changes to take effect.

More Environment Variables

Environment Variables