SesameSesame

Authentication

Configure user authentication with email/password or OIDC/SSO

Sesame supports multiple authentication methods:

  • Email/Password: Built-in local authentication (always enabled)
  • SSO/OIDC: Single Sign-On with any OAuth 2.0 / OpenID Connect provider

Email/Password Authentication

Local authentication is enabled by default. Users can sign up with a username, email, and password.

Configuration

VariableConfig PathDefaultDescription
ALLOW_USER_REGISTRATIONregistration.allowNewUserstrueAllow new signups
REQUIRE_EMAIL_VERIFICATIONregistration.requireEmailVerificationfalseRequire email verification

Security Note: New user registration is automatically disabled after the initial admin account is created. This prevents unauthorized signups on self-hosted instances. Re-enable it in Settings → Registration if needed.

Email Verification requires SMTP configuration. Without SMTP, users can register but won't receive verification emails.

Single Sign-On (OIDC)

Sesame supports any OAuth 2.0 / OpenID Connect provider, including:

  • Authentik
  • Keycloak
  • Authelia
  • Okta
  • Auth0
  • Azure AD / Entra ID
  • Google Workspace

Configuration

Configure OIDC via environment variables or the admin UI at /admin/oauth.

Required Settings

VariableDescription
OIDC_ENABLEDSet to true to enable OIDC
OIDC_CLIENT_IDOAuth client ID from your provider
OIDC_CLIENT_SECRETOAuth client secret

Provider Configuration

Option 1: Auto-Discovery (Recommended)

Most OIDC providers support auto-discovery. Just provide the issuer URL:

OIDC_ISSUER=https://auth.example.com/application/o/sesame

Sesame automatically fetches endpoints from /.well-known/openid-configuration.

Option 2: Manual Endpoints

For providers without auto-discovery (like Authelia):

OIDC_AUTHORIZATION_URL=https://auth.example.com/api/oidc/authorize
OIDC_TOKEN_URL=https://auth.example.com/api/oidc/token
OIDC_USERINFO_URL=https://auth.example.com/api/oidc/userinfo

Optional Settings

VariableDefaultDescription
OIDC_PROVIDER_IDoidcUnique identifier (used in callback URL)
OIDC_PROVIDER_NAMESSODisplay name on login button
OIDC_SCOPESopenid,profile,emailOAuth scopes to request
OIDC_ALLOW_SIGNUPtrueCreate accounts for new OIDC users

Callback URL

Configure this URL as the redirect/callback URI in your identity provider:

https://your-domain.com/api/auth/oauth2/callback/{provider-id}

Replace {provider-id} with your OIDC_PROVIDER_ID (default: oidc).

Provider Examples

Authentik

  1. Create an OAuth2/OpenID Provider in Authentik
  2. Create an Application linked to the provider
  3. Configure Sesame:
OIDC_ENABLED=true
OIDC_PROVIDER_ID=authentik
OIDC_PROVIDER_NAME=Authentik
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_ISSUER=https://auth.example.com/application/o/sesame

Keycloak

  1. Create a Client in your Keycloak realm
  2. Set Access Type to "confidential"
  3. Configure Valid Redirect URIs
  4. Configure Sesame:
OIDC_ENABLED=true
OIDC_PROVIDER_ID=keycloak
OIDC_PROVIDER_NAME=Keycloak
OIDC_CLIENT_ID=sesame
OIDC_CLIENT_SECRET=your-client-secret
OIDC_ISSUER=https://keycloak.example.com/realms/master

Authelia

Authelia requires manual endpoint configuration:

OIDC_ENABLED=true
OIDC_PROVIDER_ID=authelia
OIDC_PROVIDER_NAME=Authelia
OIDC_CLIENT_ID=sesame
OIDC_CLIENT_SECRET=your-client-secret
OIDC_AUTHORIZATION_URL=https://auth.example.com/api/oidc/authorize
OIDC_TOKEN_URL=https://auth.example.com/api/oidc/token
OIDC_USERINFO_URL=https://auth.example.com/api/oidc/userinfo

Okta / Auth0

OIDC_ENABLED=true
OIDC_PROVIDER_ID=okta
OIDC_PROVIDER_NAME=Okta
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_ISSUER=https://your-domain.okta.com
# or for Auth0:
# OIDC_ISSUER=https://your-tenant.auth0.com

Admin Panel

Access the SSO configuration UI at /admin/oauth to:

  • Enable/disable OIDC authentication
  • Configure provider settings
  • View the callback URL
  • See configuration examples

Settings configured via environment variables appear as "locked" in the admin UI and cannot be changed without restarting the server.

Troubleshooting

"Invalid redirect URI" Error

Ensure the callback URL in your identity provider exactly matches:

https://your-domain.com/api/auth/oauth2/callback/{provider-id}

User Not Created After Login

Check that OIDC_ALLOW_SIGNUP is not set to false.

Missing User Information

Ensure your provider returns email and name (or preferred_username) claims. Add the email and profile scopes if needed:

OIDC_SCOPES=openid,profile,email

HTTPS Required

Most identity providers require HTTPS callback URLs. Use a reverse proxy for SSL.

Settings

Configure Sesame settings via environment variables or config files

Agents

How AI coding agents work in Sesame

On this page

Email/Password AuthenticationConfigurationSingle Sign-On (OIDC)ConfigurationRequired SettingsProvider ConfigurationOptional SettingsCallback URLProvider ExamplesAuthentikKeycloakAutheliaOkta / Auth0Admin PanelTroubleshooting"Invalid redirect URI" ErrorUser Not Created After LoginMissing User InformationHTTPS Required