Authentication
ricochet uses OpenID Connect (OIDC) for authentication, allowing you to integrate with any OIDC-compliant identity provider.
Requirements
Section titled “Requirements”The OIDC provider must support:
- Claims:
emailandprofile - Grant Type: Authorization Code Flow
ricochet uses the subject identifier (sub) as the unique user ID.
The email claim is collected for future SMTP integrations.
Configuration
Section titled “Configuration”Add the following to your ricochet-config.toml:
[auth.oidc]issuer_url = "https://auth.example.com/"client_id = "your_client_id"client_secret = "your_client_secret"redirect_url = "https://your-ricochet-domain.com/oauth/callback"display_name_claim = "preferred_username" # Optional, defaults to "preferred_username"Configuration Fields
Section titled “Configuration Fields”| Field | Required | Description |
|---|---|---|
issuer_url | Yes | Your OIDC provider’s issuer URL. Must start with https:// |
client_id | Yes | OAuth client ID from your OIDC provider |
client_secret | Yes | OAuth client secret from your OIDC provider |
redirect_url | Yes | Callback URL where users are redirected after authentication. Must be https://your-domain/oauth/callback |
display_name_claim | No | OIDC claim to use for display name. Defaults to preferred_username |
Microsoft Entra ID (Azure AD)
Section titled “Microsoft Entra ID (Azure AD)”When using Microsoft Entra ID, you must use the v2.0 issuer URL.
The v1 issuer (https://sts.windows.net/{tenant-id}/) returns a non-standard discovery document that is incompatible with ricochet’s OIDC client.
[auth.oidc]issuer_url = "https://login.microsoftonline.com/{tenant-id}/v2.0"client_id = "your_client_id"client_secret = "your_client_secret"redirect_url = "https://your-ricochet-domain.com/oauth/callback"Replace {tenant-id} with your Azure tenant ID.
Requiring Authentication
Section titled “Requiring Authentication”By default, unauthenticated users can browse the “Explore” page and view public content.
To require authentication for all access, enable the require_authentication option:
[auth]require_authentication = trueOr via environment variable:
RICOCHET_AUTH__REQUIRE_AUTHENTICATION=trueBehavior
Section titled “Behavior”| Setting | Unauthenticated User Access |
|---|---|
require_authentication=false | Can view Explore page and public content only |
require_authentication=true | Redirected to sign-in page on all routes |
When require_authentication is enabled, users see a full-screen login page with SSO sign-in.
When disabled (the default), unauthenticated users can browse public content but see a sign-in prompt in the sidebar to access protected features like deployment, API keys, and settings.