Skip to main content

Authentication

Norish supports password auth, OIDC, and the GitHub and Google OAuth providers. You configure one provider to bootstrap the first sign-in; everything else can be managed later from Settings → Admin.

First user

The first user to sign in becomes the server owner and server admin. After that first sign-in:

  • User registration is disabled automatically.
  • Ongoing auth providers and policies are managed in Settings → Admin.

So before starting Norish, configure exactly one of the providers below.

Callback URLs

When registering an OAuth/OIDC application, use these callback URLs (replace the host with your AUTH_URL):

ProviderCallback URL
OIDChttps://example.norish-domain.com/api/auth/oauth2/callback/oidc
GitHubhttps://example.norish-domain.com/api/auth/callback/github
Googlehttps://example.norish-domain.com/api/auth/callback/google

Password auth

Email & password sign-in, no external identity provider required. It's a safe, fully supported option for production — not just local testing. It is enabled automatically when no other provider is configured; set PASSWORD_AUTH_ENABLED explicitly to force it on or off.

VariableDescriptionDefault
PASSWORD_AUTH_ENABLEDEnable email/password auth bootstrapAuto

OIDC

Connect any OpenID Connect provider (Authentik, Keycloak, Auth0, Zitadel, …).

docker-compose.yml (environment)
OIDC_NAME: NoraId
OIDC_ISSUER: https://auth.example.com
OIDC_CLIENT_ID: <client-id>
OIDC_CLIENT_SECRET: <client-secret>
OIDC_WELLKNOWN: https://auth.example.com/.well-known/openid-configuration
VariableDescriptionDefault
OIDC_NAMEDisplay name for the OIDC provider(empty)
OIDC_ISSUEROIDC issuer URL(empty)
OIDC_CLIENT_IDOIDC client id(empty)
OIDC_CLIENT_SECRETOIDC client secret(empty)
OIDC_WELLKNOWNWell-known URL (derived from the issuer if omitted)Derived

OIDC claim mapping

Optionally map OIDC group claims to the server admin role and to household auto-join. These are only used when claim mapping is enabled.

VariableDescriptionDefault
OIDC_CLAIM_MAPPING_ENABLEDEnable claim-based role and household assignmentfalse
OIDC_SCOPESAdditional OIDC scopes (comma-separated)(empty)
OIDC_GROUPS_CLAIMClaim name containing group membershipsgroups
OIDC_ADMIN_GROUPGroup name that grants the server admin rolenorish_admin
OIDC_HOUSEHOLD_GROUP_PREFIXPrefix for household auto-join groupsnorish_household_

GitHub

Create an OAuth app at GitHub → Settings → Developer settings → OAuth Apps and use the GitHub callback URL above.

VariableDescriptionDefault
GITHUB_CLIENT_IDGitHub OAuth client id(empty)
GITHUB_CLIENT_SECRETGitHub OAuth client secret(empty)

Google

Create an OAuth client in the Google Cloud console and use the Google callback URL above.

VariableDescriptionDefault
GOOGLE_CLIENT_IDGoogle OAuth client id(empty)
GOOGLE_CLIENT_SECRETGoogle OAuth client secret(empty)
Public URL

OAuth callbacks need Norish to know its public URL. Make sure AUTH_URL is set correctly — see Server & runtime.