Generic OIDC Provider

A checklist for connecting NeMo Platform to any OIDC-compliant identity provider not covered by the Azure AD page.

Prerequisites: Familiarity with OIDC Setup.

Provider Checklist

Verify your IdP meets these requirements:

Supports OpenID Connect (not just OAuth2)
Exposes a .well-known/openid-configuration discovery document
Supports the device authorization grant (required for nemo auth login)
Allows creating custom API scopes (platform:read, platform:write)
Includes email (or equivalent claim) in access tokens
Supports JWKS for token signature validation

Configuration Template

1 auth:
2  enabled: true
3  oidc:
4  enabled: true
5  issuer: "<your-idp-issuer-url>"
6  client_id: "<your-client-id>"
7  # Uncomment and adjust if your IdP uses non-standard claim names:
8  # email_claim: "email"
9  # subject_claim: "sub"
10  # groups_claim: "groups"
11  # Uncomment if your IdP prefixes scopes:
12  # scope_prefix: "<prefix>/"
13  default_scopes: "openid profile email offline_access platform:read platform:write"

Claim Mapping Reference

IdP	Email Claim	Subject Claim	Groups Claim
Azure AD	`upn`	`oid`	`groups`
Okta	`email`	`sub`	`groups`
Keycloak	`email`	`sub`	`groups`
Auth0	`email`	`sub`	custom
Google Workspace	`email`	`sub`	N/A
Generic OIDC	`email`	`sub`	`groups`

OIDC Setup — Full OIDC configuration guide.
OIDC Setup — Claim mapping — JWT claims vs config defaults.
Auth Configuration — Full config reference.

Provider Checklist

Configuration Template

Claim Mapping Reference

Related