OpenID Connect login
ReaperCI can add one optional OpenID Connect authorization-code login alongside local passwords and TOTP. OIDC is deliberately invite-gated: provider claims never create a workspace user or choose a role.
Configure the provider
Register this exact redirect URI with the identity provider:
https://ci.example.com/api/auth/oidc/callback
Set all three required values in the protected ReaperCI environment file. The button label is optional:
REAPERCI_OIDC_ISSUER=https://identity.example.com
REAPERCI_OIDC_CLIENT_ID=reaperci
REAPERCI_OIDC_CLIENT_SECRET=replace-with-provider-secret
REAPERCI_OIDC_NAME=Company Login
REAPERCI_EXTERNAL_URL must also contain the public ReaperCI URL. The issuer
must use HTTPS except for an explicit loopback development issuer. ReaperCI
performs provider discovery during startup and fails closed if configured
discovery cannot be completed.
For the production Compose bundle, append these values to
/opt/reaperci/.env, keep that file mode 0600, and run:
docker compose --env-file /opt/reaperci/.env -f /opt/reaperci/compose.yaml up -d
Invite and sign in
- Invite the teammate from Settings > Team & security using the same email address the identity provider returns.
- The teammate accepts the invitation once, creating the ReaperCI username and workspace role.
- On Settings, choose Continue with Company Login.
- ReaperCI requires an
email_verified=trueID-token claim and a unique, active workspace user with that email.
On first success, ReaperCI binds the exact provider issuer and immutable subject to that user. Later logins use that binding rather than trusting a possibly reassigned email address. A second subject cannot bind to the same user at the same issuer. Disabling the ReaperCI user immediately blocks OIDC login and existing dashboard sessions.
The bootstrap owner may continue using the local password. To use OIDC for an owner, create an invited owner account with the verified provider email; owner invitations and owner-role changes remain restricted to an existing owner.
Owners and admins can review opaque provider bindings under Settings > Team & security > OpenID Connect identities. ReaperCI does not expose provider subjects in the API or dashboard. Unlinking an identity also revokes every current dashboard session for that user; the user may link again only through the normal verified-email flow.
Security properties
- Authorization Code flow with a fresh PKCE S256 verifier on every attempt.
- Random state stored hashed in SQLite, bound to an HttpOnly SameSite=Lax browser cookie, expired after ten minutes, and consumed exactly once.
- ID-token signature, issuer, audience, expiry, subject, verified email, and nonce validation.
- No automatic role mapping or just-in-time user provisioning.
- Successful identity links and logins, plus failed callback stages, are recorded in the append-only audit log without tokens or authorization codes.
- Local password and TOTP login remains available as a recovery path.
Local ReaperCI TOTP is not applied as an additional factor after a successful OIDC login. Require MFA at the identity provider for users who sign in through OIDC.