OIDC Plugin

Enterprise Feature

This feature is available exclusively in the Enterprise edition of the Radicalbit AI Gateway. Contact sales for licensing information.

The OIDC plugin provides OpenID Connect-based Single Sign-On for all admin and registry APIs in the gateway. It is a standardized plugin that works with any compatible IDP plugin — currently the Keycloak IDP Plugin is the supported implementation.

How It Fits

The access control system is composed of two independent plugins:

IDP Plugin (e.g. Keycloak) — handles user/group sync, RBAC, and token validation. This is the pluggable part: different identity providers can be supported.
OIDC Plugin — handles SSO session management for the admin interface via the standard OpenID Connect protocol. This stays the same regardless of which IDP plugin is used.

tip

If you need integration with an identity provider other than Keycloak, contact sales to discuss a custom IDP plugin. The OIDC plugin will work with any IDP plugin out of the box.

Prerequisites

A compatible IDP plugin must be enabled and configured first (currently keycloak_idp)
An OIDC client configured in your identity provider

Enabling the Plugin

export ENABLED_PLUGINS="registry_oidc_auth"

The plugin is typically enabled alongside an IDP plugin:

export ENABLED_PLUGINS="keycloak_idp,registry_oidc_auth"

Environment Variables

Variable	Required	Default	Description
`OIDC_CLIENT_ID`	Yes	—	Client ID of the OIDC client configured in your identity provider
`OIDC_SECRET_KEY`	Yes	—	Client secret from your identity provider
`OIDC_SERVER_METADATA_URL`	Yes	—	OIDC discovery metadata URL (e.g. `http://keycloak:8080/realms/gateway/.well-known/openid-configuration`)
`SESSION_SECRET_KEY`	No	`session-secret-key`	Key used to encrypt session cookies

Authentication Flow

The plugin implements a standard OIDC Authorization Code flow:

Users are redirected to the identity provider's login page. After successful authentication, the gateway:

Exchanges the authorization code for tokens
Verifies the user exists in the local user table with an assigned role
Sets HttpOnly, secure cookies:
- access_token — 1 day expiration
- refresh_token — 30 day expiration
- id_token — 1 day expiration

Token Validation

For every request to admin endpoints, the middleware:

Extracts the access_token cookie
Calls the OIDC userinfo endpoint to validate the token
Verifies the user exists in the local user table with a role
If the access token is expired, attempts to refresh it using the refresh_token
If refresh fails, clears cookies and returns 401 Unauthorized

Logout

Users can initiate logout via /auth/logout. The gateway:

Terminates the SSO session by redirecting to the identity provider's end session endpoint
Clears all authentication cookies

Dependencies

authlib==1.3.1 — installed automatically from requirements.txt when the plugin is enabled
itsdangerous>=2.1.0 — installed automatically from requirements.txt when the plugin is enabled
python-dotenv==1.0.1 — installed automatically from requirements.txt when the plugin is enabled

Next Steps

Keycloak IDP Plugin — Configure Keycloak integration and user sync
Access Control Overview — Review the roles and architecture

How It Fits​

Prerequisites​

Enabling the Plugin​

Environment Variables​

Authentication Flow​

Login​

Token Validation​

Logout​

Dependencies​

Next Steps​