GoToSocial supports [OpenID Connect](https://openid.net/connect/), which is an identification protocol built on top of [OAuth 2.0](https://oauth.net/2/), an industry standard protocol for authorization.
This means that you can connect GoToSocial to an external OIDC provider like [Gitlab](https://docs.gitlab.com/ee/integration/openid_connect_provider.html), [Google](https://cloud.google.com/identity-platform/docs/web/oidc), [Keycloak](https://www.keycloak.org/), or [Dex](https://dexidp.io/) and allow users to sign in to GoToSocial using their credentials for that provider.
This is very convenient in the following cases:
- You're running multiple services on a platform (Matrix, Peertube, GoToSocial), and you want users to be able to use the same sign in page for all of them.
- You want to delegate management of users, accounts, passwords etc. to an external service to make admin easier for yourself.
- You already have a lot of users in an external system and you don't want to have to recreate them all in GoToSocial manually.
## Settings
GoToSocial exposes the following configuration settings for OIDC, shown below with their default values.
```yaml
#######################
##### OIDC CONFIG #####
#######################
# Config for authentication with an external OIDC provider (Dex, Google, Auth0, etc).
Most OIDC providers allow for the concept of groups and group memberships in returned claims. GoToSocial can use group membership to determine whether or not a user returned from an OIDC flow should be created as an admin account or not.
If the returned OIDC groups information for a user contains membership of the groups `admin` or `admins`, then that user will be created/signed in as though they are an admin.
[Dex](https://dexidp.io/) is an open-source OIDC Provider that you can host yourself. The procedure for installing Dex is out of scope for this documentation, but you can check out the Dex docs [here](https://dexidp.io/docs/).
Dex is great because it's also written in Go, like GoToSocial, which means it's small and fast and works well on lower-powered systems.
To configure Dex and GoToSocial to work together, create the following client under the `staticClients` section of your Dex config:
```yaml
staticClients:
- id: 'gotosocial_client'
redirectURIs:
- 'https://gotosocial.example.org/auth/callback'
name: 'GoToSocial'
secret: 'some-client-secret'
```
Make sure to replace `gotosocial_client` with your desired client ID, and `secret` with a reasonably long and secure secret (a UUID for example). You should also replace `gotosocial.example.org` with the `host` of your GtS instance, but leave `/auth/callback` in place.
Now, edit the `oidc` section of your GoToSocial config.yaml as follows:
```yaml
oidc:
enabled: true
idpName: "Dex"
skipVerification: false
issuer: "https://auth.example.org"
clientID: "gotosocial_client"
clientSecret: "some-client-secret"
scopes:
- "openid"
- "email"
- "profile"
- "groups"
```
Make sure to replace the `issuer` variable with whatever your Dex issuer is set to. This should be the exact URI at which your Dex instance can be reached.
Now, restart both GoToSocial and Dex so that the new settings are in place.
When you next go to log in to GtS, you should be redirected to the sign in page for Dex. On a successful sign in, you'll be directed back to GoToSocial.