Skip to Content
ConfigurationSso Oauth Oidc

Last Updated: 3/16/2026

LinkAce Logo

SSO (Single-Sign-On) with OAuth or OIDC

Table of Contents

You can connect LinkAce with an OAuth or OIDC provider to manage your users at a central place and let them login to LinkAce with a single click. No separate registration needed. No duplicate passwords to save.

LinkAce supports various OAuth or OIDC providers.

Supported providers

General Configuration

To enable and configure Single Sign On, add the following configuration to your .env file. Please note that every SSO provider has its own configuration which must be added to the .env file and properly set up if you want to use it.

.env

ConfigPossible OptionsDefaultDescription
SSO_ENABLEDtrue/falsefalseEnable SSO authentication via OAuth or OIDC
SSO_REGISTRATION_ENABLEDtrue/falsetrueIf set to false, users must have an existing SSO-enabled account to be able to login.
REGULAR_LOGIN_DISABLEDtrue/falsefalseDisable the regular login form and user management.

SSO_ENABLED false SSO_REGISTRATION_ENABLED true REGULAR_LOGIN_DISABLED false

User handling

While a user tries to login with any SSO provider, this is how the user account is handled:

Example Configuration

SSO_ENABLED=true REGULAR_LOGIN_DISABLED=true SSO_AUTH0_ENABLED=true SSO_AUTH0_BASE_URL=https://example.auth0.com/ SSO_AUTH0_CLIENT_ID=W+qVVdlLP32a2F..... SSO_AUTH0_CLIENT_SECRET=U5qo0Le2stKK2vO87TTl.....

After adding this to your .env file, the regular login form vanishes and a button to login with Auth0 will show up when users try to login.

Callback URL is https://[[YOUR.LINKACE.INSTALL]]/auth/sso/[[SERVICE]]/callback (replace service with whatever comes between SSO_[[SERVICE]]_ENABLED in your .env file)

https://[[YOUR.LINKACE.INSTALL]]/auth/sso/[[SERVICE]]/callback SSO_[[SERVICE]]_ENABLED .env

Provider Configuration

Generic OpenID Connect Provider

ConfigDefaultDescription
SSO_OIDC_ENABLEDfalseEnable SSO authentication for OIDC
SSO_OIDC_BASE_URLThe OIDC base URL (details see below)
SSO_OIDC_CLIENT_IDThe OIDC client ID
SSO_OIDC_CLIENT_SECRETThe OIDC client secret
SSO_OIDC_SCOPESAdditional scopes sent to the OIDC provider

SSO_OIDC_ENABLED false SSO_OIDC_BASE_URL SSO_OIDC_CLIENT_ID SSO_OIDC_CLIENT_SECRET SSO_OIDC_SCOPES

The base URL must be set to the OpenID Configuration URL, but excluding the .well-known/openid-configuration part. Example: If https://auth.company.com/application/linkace/.well-known/openid-configuration is your OIDC configuration URL, then https://auth.company.com/application/linkace must be your base URL.

.well-known/openid-configuration https://auth.company.com/application/linkace/.well-known/openid-configuration https://auth.company.com/application/linkace

Auth0

ConfigDefaultDescription
SSO_AUTH0_ENABLEDfalseEnable SSO authentication for Zitadel
SSO_AUTH0_BASE_URLThe Auth0 base URL
SSO_AUTH0_CLIENT_IDThe Auth0 client ID
SSO_AUTH0_CLIENT_SECRETThe Auth0 client secret

SSO_AUTH0_ENABLED false SSO_AUTH0_BASE_URL SSO_AUTH0_CLIENT_ID SSO_AUTH0_CLIENT_SECRET

Authelia

OIDC with Authelia works with the generic OIDC config. The critical succesfactor is the Authelia config, where PKCE needs to be disabled.

configuration.yml (Authelia)

`identity_providers: oidc: clients:

  • client_id: ‘linkace’ client_name: ‘linkace’ client_secret: ‘[DIGEST OF SSO_OIDC_CLIENT_SECRET]’ public: false authorization_policy: ‘two_factor’ require_pkce: false redirect_uris:
  • https://linkace.example.com/auth/sso/oidc/callback ’ scopes:
  • ‘openid’
  • ‘groups’
  • ‘email’
  • ‘profile’ response_types:
  • ‘code’ grant_types:
  • ‘authorization_code’
  • ‘refresh_token’ access_token_signed_response_alg: ‘none’ userinfo_signed_response_alg: ‘none’ token_endpoint_auth_method: ‘client_secret_post’`

LinkAce configuration

ConfigDefaultDescription
SSO_OIDC_ENABLEDfalseEnable SSO authentication for OIDC
SSO_OIDC_BASE_URLThe OIDC base URL (details see below)
SSO_OIDC_CLIENT_IDThe OIDC client ID
SSO_OIDC_CLIENT_SECRETThe OIDC client secret
SSO_OIDC_SCOPESAdditional scopes sent to the OIDC provider

SSO_OIDC_ENABLED false SSO_OIDC_BASE_URL SSO_OIDC_CLIENT_ID SSO_OIDC_CLIENT_SECRET SSO_OIDC_SCOPES

Authentik

ConfigDefaultDescription
SSO_AUTHENTIK_ENABLEDfalseEnable SSO authentication for Authentik
SSO_AUTHENTIK_BASE_URLThe Authentik base URL
SSO_AUTHENTIK_CLIENT_IDThe Authentik client ID
SSO_AUTHENTIK_CLIENT_SECRETThe Authentik client secret

SSO_AUTHENTIK_ENABLED false SSO_AUTHENTIK_BASE_URL SSO_AUTHENTIK_CLIENT_ID SSO_AUTHENTIK_CLIENT_SECRET

AWS Cognito

ConfigDefaultDescription
SSO_COGNITO_ENABLEDfalseEnable SSO authentication for Cognito
SSO_COGNITO_HOSTThe Cognito base URL
SSO_COGNITO_CLIENT_IDThe Cognito client ID
SSO_COGNITO_CLIENT_SECRETThe Cognito client secret
SSO_COGNITO_LOGIN_SCOPEComma-separated list of login scopes
SSO_COGNITO_SIGN_OUT_URLWhere to redirect to in LinkAce after logging out

SSO_COGNITO_ENABLED false SSO_COGNITO_HOST SSO_COGNITO_CLIENT_ID SSO_COGNITO_CLIENT_SECRET SSO_COGNITO_LOGIN_SCOPE SSO_COGNITO_SIGN_OUT_URL

FusionAuth

ConfigDefaultDescription
SSO_FUSIONAUTH_ENABLEDfalseEnable SSO authentication for FusionAuth
SSO_FUSIONAUTH_BASE_URLThe FusionAuth base URL
SSO_FUSIONAUTH_CLIENT_IDThe FusionAuth client ID
SSO_FUSIONAUTH_CLIENT_SECRETThe FusionAuth client secret

SSO_FUSIONAUTH_ENABLED false SSO_FUSIONAUTH_BASE_URL SSO_FUSIONAUTH_CLIENT_ID SSO_FUSIONAUTH_CLIENT_SECRET

Google

ConfigDefaultDescription
SSO_GOOGLE_ENABLEDfalseEnable SSO authentication for Google
SSO_GOOGLE_CLIENT_IDThe Google client ID
SSO_GOOGLE_CLIENT_SECRETThe Google client secret

SSO_GOOGLE_ENABLED false SSO_GOOGLE_CLIENT_ID SSO_GOOGLE_CLIENT_SECRET

GitHub

ConfigDefaultDescription
SSO_GITHUB_ENABLEDfalseEnable SSO authentication for GitHub
SSO_GITHUB_CLIENT_IDThe GitHub client ID
SSO_GITHUB_CLIENT_SECRETThe GitHub client secret

SSO_GITHUB_ENABLED false SSO_GITHUB_CLIENT_ID SSO_GITHUB_CLIENT_SECRET

GitLab

ConfigDefaultDescription
SSO_GITLAB_ENABLEDfalseEnable SSO authentication for GitLab
SSO_GITLAB_HOSThttps://gitlab.comThe GitLab base URL
SSO_GITLAB_BASE_URLThe GitLab base URL
SSO_GITLAB_CLIENT_IDThe GitLab client ID
SSO_GITLAB_CLIENT_SECRETThe GitLab client secret

SSO_GITLAB_ENABLED false SSO_GITLAB_HOST https://gitlab.com SSO_GITLAB_BASE_URL SSO_GITLAB_CLIENT_ID SSO_GITLAB_CLIENT_SECRET

Keycloak

ConfigDefaultDescription
SSO_KEYCLOAK_ENABLEDfalseEnable SSO authentication for Keycloak
SSO_KEYCLOAK_BASE_URLThe Keycloak base URL
SSO_KEYCLOAK_CLIENT_IDThe Keycloak client ID
SSO_KEYCLOAK_CLIENT_SECRETThe Keycloak client secret
SSO_KEYCLOAK_REALMThe Keycloak realm

SSO_KEYCLOAK_ENABLED false SSO_KEYCLOAK_BASE_URL SSO_KEYCLOAK_CLIENT_ID SSO_KEYCLOAK_CLIENT_SECRET SSO_KEYCLOAK_REALM

Microsoft Azure

ConfigDefaultDescription
SSO_AZURE_ENABLEDfalseEnable SSO authentication for Azure
SSO_AZURE_CLIENT_IDThe Azure client ID
SSO_AZURE_CLIENT_SECRETThe Azure client secret
SSO_AZURE_TENANT_IDThe Azure tenant ID

SSO_AZURE_ENABLED false SSO_AZURE_CLIENT_ID SSO_AZURE_CLIENT_SECRET SSO_AZURE_TENANT_ID

Okta

ConfigDefaultDescription
SSO_OKTA_ENABLEDfalseEnable SSO authentication for Okta
SSO_OKTA_BASE_URLThe Okta base URL
SSO_OKTA_CLIENT_IDThe Okta client ID
SSO_OKTA_CLIENT_SECRETThe Okta client secret

SSO_OKTA_ENABLED false SSO_OKTA_BASE_URL SSO_OKTA_CLIENT_ID SSO_OKTA_CLIENT_SECRET

Zitadel

ConfigDefaultDescription
SSO_ZITADEL_ENABLEDfalseEnable SSO authentication for Zitadel
SSO_ZITADEL_CLIENT_IDThe Zitadel Client ID
SSO_ZITADEL_CLIENT_SECRETThe Zitadel Client Secret
SSO_ZITADEL_BASE_URLThe Zitadel base URL
SSO_ZITADEL_ORGANIZATION_IDThe Zitadel organization ID
SSO_ZITADEL_PROJECT_IDThe Zitadel project ID
SSO_ZITADEL_POST_LOGOUT_REDIRECT_URI/Where to redirect to in LinkAce after logging out

SSO_ZITADEL_ENABLED false SSO_ZITADEL_CLIENT_ID SSO_ZITADEL_CLIENT_SECRET SSO_ZITADEL_BASE_URL SSO_ZITADEL_ORGANIZATION_ID SSO_ZITADEL_PROJECT_ID SSO_ZITADEL_POST_LOGOUT_REDIRECT_URI /

Table of Contents

LinkAce Logo

Application BackupsCli