Lowdefy supports the OpenID Connect standard as a user authorization mechanism. This means to add users to your app, you should setup a OpenID Connect provider. Some popular providers are:

• Auth0
• Gluu
• Keycloak
• Microsoft identity platform (Active Directory)
• Okta
• Ory Hydra
• Ping Identity
• Sign In With Google (Google Workspace is also supported)

A full list of OpenID Connect providers can be found here.

Configuring an OpenID Connect provider

To configure an OpenID Connect provider, you need to set the following lowdefy secrets: OPENID_CLIENT_ID, OPENID_CLIENT_SECRET, OPENID_DOMAIN, and JWT_SECRET. The can be set by setting the following environment variables:

LOWDEFY_SECRET_OPENID_CLIENT_ID = YOUR_CLIENT_ID
LOWDEFY_SECRET_OPENID_CLIENT_SECRET = YOUR_CLIENT_SECRET
LOWDEFY_SECRET_OPENID_DOMAIN = YOUR_OPENID_DOMAIN
LOWDEFY_SECRET_JWT_SECRET = YOUR_SECRET_KEY

See the section on JSON Web Tokens below for information about the JWT_SECRET.

If these are not set, the Login and Logout actions won't work, so users won't be able to log in. However, protected pages will not be served to public users.

Optional configuration can also be set in the Lowdefy configuration, at the path config.auth.openId. The following fields can be set:

• scope: string: Optional - The OpenID Connect scope to request. The default is openid profile email. Should contain at least openid.
• logoutRedirectUri: string: Optional - The URL to redirect to after logout. See more here.

Details to configure specific OpenID Connect providers are given here.

JSON Web Tokens

The app will use the JWT_SECRET to sign the JSON web tokens (with HS256) used to authorize users. This secret should be a long randomly generated string.

You can run the following command in the command console to generate the key:

node -e "console.log(require('crypto').randomBytes(256).toString('base64'));"

We recommend using a different key in your development and production environments.

Optional configuration can also be set in the Lowdefy configuration, at the path config.auth.jwt. The following fields can be set:

• loginStateExpiresIn: string | number: The length of time an authorization request token should be valid. The default is 5 minutes. If you expect the user will not log-in immediately then you may want to increase this parameter. Can be expressed as a number in seconds, or a vercel/ms string.
• expiresIn: string | number: The length of time a user token should be valid. The default is 4 hours. Can be expressed as a number in seconds, or a vercel/ms string.