oidc.enabled
false
Enables OIDC login. When false, every other OIDC field is
ignored.
oidc.issuer
required if enabled
Identity-provider issuer URL. DayMug discovers
/.well-known/openid-configuration from it.
oidc.client_id
required if enabled
OAuth client ID issued by the IdP for this DayMug app.
oidc.client_secret
required if enabled
OAuth client secret. Store the real value only in private
config, never in public examples or screenshots.
oidc.redirect_uri
required if enabled
Callback URL registered with the IdP. It must exactly
match the public app URL plus
/api/auth/oidc/callback.
oidc.scopes
openid, profile, email
OAuth scopes requested. Keep profile when
using Casdoor so groups, roles, and permissions are
available.
oidc.group_claim
groups
Claim name DayMug reads for group membership.
oidc.role_claim
roles
Claim name DayMug reads for role membership.
oidc.permission_claim
permissions
Claim name DayMug reads for permission membership.
oidc.required_groups
[]
Allowed group values. If any required list is non-empty, a
user needs at least one match in one configured dimension.
oidc.required_roles
[]
Allowed role values. Empty means this dimension does not
restrict access.
oidc.required_permissions
[]
Allowed permission values. With all required lists empty,
any authenticated IdP user may enter subject to
provisioning.
oidc.auto_provision
true
Creates a local non-admin user on first successful OIDC
login when no local user matches the email. False makes
OIDC a closed allowlist.
oidc.button_label
Sign in with SSO
Text shown on the login page SSO button.