diff --git a/content/self-hosting/security/authentication-and-sso.mdx b/content/self-hosting/security/authentication-and-sso.mdx index e4cb670b56..35d158b358 100644 --- a/content/self-hosting/security/authentication-and-sso.mdx +++ b/content/self-hosting/security/authentication-and-sso.mdx @@ -302,16 +302,16 @@ https:///auth/sso-initiate?provider= These are additional configuration variables. Replace `` with the provider name (e.g., `GOOGLE`, `GITHUB`, `AZURE_AD`, etc., see other variables of provider above). -| Variable | Description | -| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `AUTH_DOMAINS_WITH_SSO_ENFORCEMENT` | Comma-separated list of domains that are only allowed to sign in using SSO. Email/password sign in is disabled for these domains. E.g. `domain1.com,domain2.com` | -| `AUTH_DISABLE_SIGNUP` | Set to `true` to disable sign up for new users. Only existing users can sign in. This affects all new users that try to sign up, also those who received an invite to a project and have no account yet. | -| `AUTH_EMAIL_VERIFICATION_REQUIRED` | Set to `true` to require new users to verify their email address via a one-time password (OTP) before setting a password during email/password signup. Requires [transactional emails](/self-hosting/configuration/transactional-emails) to be configured. SSO sign-in is unaffected. See [Email verification on signup](#email-verification-on-signup). | -| `AUTH_SESSION_MAX_AGE` | Set the maximum age of the session (JWT) in minutes. The default is 30 days (`43200`). The value must be greater than 5 minutes, as the front-end application refreshes its session every 5 minutes. | -| `AUTH_IGNORE_ACCOUNT_FIELDS` | Comma-separated list of fields to ignore from the SSO IDP account when creating an account. Use this to correct errors with custom IDP providers. | -| `AUTH__ALLOW_ACCOUNT_LINKING` | Set to `true` to allow merging accounts with the same email address. This is useful when users sign in with different providers or email/password but have the same email address. You need to be careful with this setting as it can lead to security issues if the emails are not verified. | -| `AUTH__CLIENT_AUTH_METHOD` | Configure the token endpoint authentication method. Supported values: `client_secret_basic` (default), `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, `none`. Use `none` for PKCE flow. | -| `AUTH__CHECKS` | Configure the authentication checks. Supported values: `nonce`, `none`, `pkce`, `state`. Multiple values can be provided as comma-separated list. | +| Variable | Description | +| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `AUTH_DOMAINS_WITH_SSO_ENFORCEMENT` | Comma-separated list of domains that are only allowed to sign in using SSO. Email/password sign in is disabled for these domains. E.g. `domain1.com,domain2.com` | +| `AUTH_DISABLE_SIGNUP` | Set to `true` to disable sign up for new users. Only existing users can sign in. This affects all new users that try to sign up, also those who received an invite to a project and have no account yet. | +| `AUTH_SESSION_MAX_AGE` | Set the maximum age of the session (JWT) in minutes. The default is 30 days (`43200`). The value must be greater than 5 minutes, as the front-end application refreshes its session every 5 minutes. | +| `AUTH_IGNORE_ACCOUNT_FIELDS` | Comma-separated list of fields to ignore from the SSO IDP account when creating an account. Use this to correct errors with custom IDP providers. | +| `AUTH__ALLOW_ACCOUNT_LINKING` | Set to `true` to allow merging accounts with the same email address. This is useful when users sign in with different providers or email/password but have the same email address. You need to be careful with this setting as it can lead to security issues if the emails are not verified. | +| `AUTH__CLIENT_AUTH_METHOD` | Configure the token endpoint authentication method. Supported values: `client_secret_basic` (default), `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, `none`. Use `none` for PKCE flow. | +| `AUTH__CHECKS` | Configure the authentication checks. Supported values: `nonce`, `none`, `pkce`, `state`. Multiple values can be provided as comma-separated list. | +| `AUTH__ID_TOKEN_SIGNED_RESPONSE_ALG` | Configure algorithm that is used to sign ID Token by provider. Supported values: `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512`, `HS256`, `HS384`, `HS512`. This setting is ignored by providers: GitHub, WorkOS | ## Troubleshooting