FileRise supports OpenID Connect (OIDC) providers such as Auth0, Authentik, and Keycloak. OIDC works alongside local users and TOTP.
Basic setup
- In your IdP, create an OIDC client.
- Set the redirect URI:
https://your-host/api/auth/auth.php?oidc=callbackIf FileRise is hosted under a subpath, include it:
https://your-host/files/api/auth/auth.php?oidc=callback- In FileRise: Admin → OIDC & TOTP
- Provider URL (issuer URL, without
/.well-known/...) - Client ID / Client Secret
- Redirect URI
- Optional: Public client (no secret)
- Provider URL (issuer URL, without
Use Test OIDC discovery in the admin panel to validate the issuer URL.
Auto-provisioning users
By default, FileRise can auto-create users on first successful OIDC login.
Advanced override (in config/config.php or env):
FR_OIDC_AUTO_CREATE(true/false)
Admin group mapping
You can map an IdP group to FileRise admin. Configure the group claim and admin group name:
FR_OIDC_GROUP_CLAIM(defaultgroups)FR_OIDC_ADMIN_GROUP(defaultfilerise-admins)
If a user is removed from the IdP admin group, FileRise can demote them on next login.
- Admin UI toggle: "Allow demote"
- Env override:
FR_OIDC_ALLOW_DEMOTE=1
Pro: map IdP groups to FileRise Pro groups
If Pro is active, FileRise can map IdP groups into Pro user groups.
FR_OIDC_PRO_GROUP_PREFIX(optional prefix filter)
Example:
- IdP group:
frp_clients_acme - Prefix:
frp_ - Pro group:
clients_acme
Troubleshooting tips
- Ensure the redirect URI matches exactly what your IdP expects.
- If behind a proxy/subpath, set
FR_PUBLISHED_URLandFR_BASE_PATHif needed. - For debugging, enable OIDC debug logging in the admin panel or set
FR_OIDC_DEBUG=1.
Proxy auth headers (advanced)
If your reverse proxy authenticates users, you can disable form login and trust a header (default X-Remote-User) via Admin → Login options.