dependency-track/docs/_docs/getting-started/openidconnect-configuration.md

---
title: OpenID Connect Configuration
category: Getting Started
chapter: 1
order: 9
---

Generally, Dependency-Track can be used with any identity provider that implements the [OpenID Connect standard](https://openid.net/connect/).
connect2id maintains a list of [public OpenID Connect Identity Providers](https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/openid-connect-providers).
Although usage with public providers is technically possible, it's strongly recommended to only use providers
that you or your organization have full control over. Misconfiguration may allow third parties to gain access to
your Dependency-Track instance!

Dependency-Track has been tested with multiple OpenID Connect identity providers. The following are
some example configurations that are known to work. If you find that the provider of your choice does not work
with Dependency-Track, please [file an issue](https://github.com/DependencyTrack/dependency-track/issues).

#### GitLab (gitlab.com)

```ini
alpine.oidc.enabled=true
alpine.oidc.issuer=https://gitlab.com
alpine.oidc.user.provisioning=true
alpine.oidc.username.claim=nickname
alpine.oidc.team.synchronization=true
alpine.oidc.always.sync.teams=true
alpine.oidc.teams.claim=groups
```

Please refer to the official documentation on [how to use GitLab as OpenID Connect Identity Provider](https://docs.gitlab.com/ee/integration/openid_connect_provider.html).

#### Keycloak

```ini
alpine.oidc.enabled=true
alpine.oidc.issuer=http://localhost:8080/auth/realms/master
alpine.oidc.user.provisioning=true
alpine.oidc.username.claim=preferred_username
alpine.oidc.team.synchronization=true
alpine.oidc.always.sync.teams=true
alpine.oidc.teams.claim=groups
```

Keycloak does not include group or role information in its UserInfo endpoint per default. If you want to use 
Dependency-Track's team synchronization feature, you'll have to create a mapper for the Dependency-Track client:

![Mapper creation](/images/screenshots/oidc-keycloak-groups-mapping.png)

Depending on your setup you would use the mapper types `Group Membership` (as shown above) or `User Realm Role`.
Make sure `Add to userinfo` is enabled.
Add first draft of OpenID Connect documentation 2020-03-12 22:37:35 +01:00			`---`
			`title: OpenID Connect Configuration`
			`category: Getting Started`
			`chapter: 1`
			`order: 9`
			`---`

Update OIDC documentation; Add default config 2020-03-21 21:09:41 +01:00			`Generally, Dependency-Track can be used with any identity provider that implements the [OpenID Connect standard](https://openid.net/connect/).`
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`connect2id maintains a list of [public OpenID Connect Identity Providers](https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/openid-connect-providers).`
			`Although usage with public providers is technically possible, it's strongly recommended to only use providers`
			`that you or your organization have full control over. Misconfiguration may allow third parties to gain access to`
			`your Dependency-Track instance!`
Add first draft of OpenID Connect documentation 2020-03-12 22:37:35 +01:00
Update OIDC documentation; Add default config 2020-03-21 21:09:41 +01:00			`Dependency-Track has been tested with multiple OpenID Connect identity providers. The following are`
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`some example configurations that are known to work. If you find that the provider of your choice does not work`
			`with Dependency-Track, please [file an issue](https://github.com/DependencyTrack/dependency-track/issues).`
Add first draft of OpenID Connect documentation 2020-03-12 22:37:35 +01:00
			`#### GitLab (gitlab.com)`

			```ini
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`alpine.oidc.enabled=true`
Discovery URI -> Issuer 2020-03-22 19:23:30 +01:00			`alpine.oidc.issuer=https://gitlab.com`
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`alpine.oidc.user.provisioning=true`
Add first draft of OpenID Connect documentation 2020-03-12 22:37:35 +01:00			`alpine.oidc.username.claim=nickname`
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`alpine.oidc.team.synchronization=true`
			`alpine.oidc.always.sync.teams=true`
Add first draft of OpenID Connect documentation 2020-03-12 22:37:35 +01:00			`alpine.oidc.teams.claim=groups`
			```

			`Please refer to the official documentation on [how to use GitLab as OpenID Connect Identity Provider](https://docs.gitlab.com/ee/integration/openid_connect_provider.html).`

			`#### Keycloak`

			```ini
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`alpine.oidc.enabled=true`
Discovery URI -> Issuer 2020-03-22 19:23:30 +01:00			`alpine.oidc.issuer=http://localhost:8080/auth/realms/master`
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`alpine.oidc.user.provisioning=true`
Add first draft of OpenID Connect documentation 2020-03-12 22:37:35 +01:00			`alpine.oidc.username.claim=preferred_username`
OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`alpine.oidc.team.synchronization=true`
			`alpine.oidc.always.sync.teams=true`
Fix typo 2020-04-11 12:21:44 +02:00			`alpine.oidc.teams.claim=groups`
Add first draft of OpenID Connect documentation 2020-03-12 22:37:35 +01:00			```

OpenID Connect config documentation 2020-03-17 19:08:08 +01:00			`Keycloak does not include group or role information in its UserInfo endpoint per default. If you want to use`
			`Dependency-Track's team synchronization feature, you'll have to create a mapper for the Dependency-Track client:`

			`![Mapper creation](/images/screenshots/oidc-keycloak-groups-mapping.png)`

			Depending on your setup you would use the mapper types `Group Membership` (as shown above) or `User Realm Role`.
Update OIDC documentation; Add default config 2020-03-21 21:09:41 +01:00			Make sure `Add to userinfo` is enabled.