Skip to content
Frona AI

Single Sign-On (SSO)

Frona AI supports single sign-on through OpenID Connect (OIDC). This lets users log in with their existing identity provider (Google, Okta, Auth0, Keycloak, etc.).

Configuration

Section titled “Configuration”

Set these environment variables to enable SSO:

VariableDescription
FRONA_SSO_ISSUER_URLThe OIDC issuer URL (e.g., https://accounts.google.com)
FRONA_SSO_CLIENT_IDYour OIDC client ID
FRONA_SSO_CLIENT_SECRETYour OIDC client secret
FRONA_SSO_SCOPESComma-separated scopes (e.g., openid,email,profile)

SSO flow

Section titled “SSO flow”
  1. User clicks “Sign in with SSO” on the login page
  2. User is redirected to the identity provider
  3. After authenticating, the IdP redirects back to Frona
  4. Frona validates the OIDC token and creates a session

Endpoints

Section titled “Endpoints”
EndpointDescription
GET /api/auth/ssoSSO availability and configuration
GET /api/auth/sso/authorizeInitiates the OIDC flow
GET /api/auth/sso/callbackHandles the IdP callback

Account matching

Section titled “Account matching”

When a user logs in via SSO for the first time:

  • FRONA_SSO_SIGNUPS_MATCH_EMAIL=true (default). If an existing account has the same email, the SSO login is linked to that account
  • FRONA_SSO_SIGNUPS_MATCH_EMAIL=false: a new account is created regardless

Email verification

Section titled “Email verification”

By default, Frona only accepts verified email addresses from the IdP. If your IdP doesn’t always provide email verification status, you can set:

FRONA_SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true

Use this with caution. It trusts email addresses that haven’t been verified by the IdP.

Setting up with common providers

Section titled “Setting up with common providers”

Google

Section titled “Google”
  1. Create a project in Google Cloud Console
  2. Enable the “Google Identity” API
  3. Create OAuth 2.0 credentials (Web application type)
  4. Add your callback URL: https://your-domain.com/api/auth/sso/callback
  5. Set the environment variables with your client ID and secret

Keycloak

Section titled “Keycloak”
  1. Create a new client in your Keycloak realm
  2. Set the client protocol to openid-connect
  3. Set the redirect URI to https://your-domain.com/api/auth/sso/callback
  4. Use the realm’s OIDC issuer URL (e.g., https://keycloak.example.com/realms/your-realm)