RomM supports OpenID Connect (OIDC) for single sign-on, allowing users to authenticate through any compliant identity provider instead of — or in addition to — local username/password accounts. Once configured, a Sign in with <Provider> button appears on the RomM login page, and optionally RomM can skip its own login page entirely and redirect straight to your identity provider.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/rommapp/romm/llms.txt
Use this file to discover all available pages before exploring further.
Prerequisites
Before configuring OIDC in RomM you need:- A running OIDC-compliant identity provider (Authelia, Authentik, Keycloak, Okta, Google, etc.)
- A client application registered in that provider with:
- An allowed redirect URI pointing back to RomM:
https://<your-romm-url>/api/oauth/openid - The
openid,profile, andemailscopes enabled (exact names vary by provider)
- An allowed redirect URI pointing back to RomM:
- The client ID and client secret from the provider
Configuration
Set the following environment variables in your RomM container. All variables must be provided for OIDC to function.Required Variables
Master switch. Set to
true to activate OIDC authentication.The client ID issued by your identity provider when you registered the RomM application.
The client secret issued by your identity provider.
The absolute callback URL RomM registers with the provider. Must be reachable by the user’s browser after authentication.
The base URL of your OIDC server application (e.g.
https://auth.example.com). Used when constructing authorization URLs.The full URL to your provider’s OpenID Connect discovery document.Most providers expose this at
<issuer>/.well-known/openid-configuration.Optional Behaviour Variables
Display name of the identity provider shown on the RomM login button (e.g.
Authentik, Authelia, Google). If omitted the button reads Sign in with OIDC.When
true, RomM skips its own login page and immediately redirects the browser to the OIDC provider. Combine with DISABLE_USERPASS_LOGIN=true for a fully SSO-driven experience.When
true, a new RomM user account is created automatically the first time someone authenticates via OIDC. When false, only pre-existing RomM accounts can log in via OIDC.The OIDC claim used as the RomM username. Change this if your provider uses a different attribute (e.g.
sub, email, or a custom claim).Role Mapping
RomM can automatically assign roles to OIDC users based on claims your identity provider includes in the token. This lets you manage RomM access entirely from your IdP.The name of the OIDC claim that carries the user’s roles (e.g.
groups, roles, or a custom claim name configured in your provider).The claim value that maps to the
user role with viewer-level access (legacy label still accepted by the role coercion logic).The claim value that maps to the
user role with editor-level access (legacy label still accepted).The claim value that maps to the RomM
admin role. Users whose roles claim contains this value will receive full administrative access.If
OIDC_CLAIM_ROLES is not set, or if the claim is absent from the token, RomM falls back to the default user role for new accounts. Existing users retain whatever role they already have.romm-admins group in your IdP will be assigned the admin role in RomM on login.
Advanced Settings
Path (inside the container) to a PEM file containing trusted CA certificates. Use this when your OIDC server uses a private or self-signed certificate that is not in the default trust store.Mount the certificate into the container via a Docker volume.
When
true, clicking Logout in RomM also terminates the session at the identity provider using the RP-Initiated Logout specification. RomM returns the provider’s end-session URL to the browser, which then redirects there with an id_token_hint.Manually override the end-session endpoint URL used for RP-initiated logout. If not set, RomM discovers it from the provider’s metadata document. Only needed if your provider exposes a non-standard endpoint.
Provider Examples
- Authentik
- Authelia
- Generic OIDC Provider
1. Create an OAuth2/OIDC provider in Authentik
- Navigate to Applications → Providers → Create and choose OAuth2/OpenID Connect Provider.
- Set the Redirect URI to
https://romm.example.com/api/oauth/openid. - Copy the Client ID and Client Secret.
The
OIDC_SERVER_METADATA_URL path in Authentik follows the pattern <authentik-url>/application/o/<slug>/.well-known/openid-configuration where <slug> is the application slug you configured.Docker Compose Example
Add the OIDC environment variables to theromm service in your docker-compose.yml:
Forcing SSO-Only Access
To remove the username/password login form entirely and require all users to authenticate through your identity provider:OIDC_AUTOLOGIN=true, visiting the RomM login page immediately issues a redirect to the OIDC provider — users never see the RomM login form. With DISABLE_USERPASS_LOGIN=true, any direct attempt to call the /login or /token endpoints with a password is rejected.
Even with
DISABLE_USERPASS_LOGIN=true, the first admin account still needs to be created before OIDC login is possible. Either use the first-boot setup wizard before enabling this flag, or create the admin via the API with a temporary password, then set the flag.