Openid Connect Authentication

The oidc authentication lets you protect drydock access using the Openid Connect standard.

logo

The oidc authentication lets you protect drydock access using the Openid Connect standard.

Variables

Env var	Required	Description	Supported values	Default value when missing
`DD_AUTH_OIDC_{auth_name}_CLIENTID`	🔴	Client ID
`DD_AUTH_OIDC_{auth_name}_CLIENTSECRET`	🔴	Client Secret
`DD_AUTH_OIDC_{auth_name}_DISCOVERY`	🔴	Oidc discovery URL
`DD_AUTH_OIDC_{auth_name}_CAFILE`	⚪	Path to a PEM CA certificate (or chain) used for OIDC HTTPS requests	File path	empty
`DD_AUTH_OIDC_{auth_name}_INSECURE`	⚪	Disable TLS certificate verification for OIDC HTTPS requests (development only)	`true`, `false`	`false`
`DD_AUTH_OIDC_{auth_name}_REDIRECT`	⚪	Skip internal login page & automatically redirect to the OIDC provider	`true`, `false`	`false`
`DD_AUTH_OIDC_{auth_name}_LOGOUTURL`	⚪	Explicit IdP logout URL fallback when discovery metadata has no `end_session_endpoint`	URL	empty
`DD_AUTH_OIDC_{auth_name}_TIMEOUT`	⚪	Timeout (in ms) when calling the OIDC provider	Minimum is 500	`5000`
`DD_PUBLIC_URL`	🔴	Public URL of your drydock instance (used to build the OIDC callback URL)	URL

The callback URL (to configure in the IDP) is built as ${DD_PUBLIC_URL}/auth/oidc/${auth_name}/cb

DD_PUBLIC_URL is required when OIDC is configured. Without it, the OIDC provider will fail to register at startup and the login page will show "No authentication methods configured". Check startup logs for the exact error.

If your IdP is on a different domain and callback fails with OIDC session is missing or expired, check DD_SERVER_COOKIE_SAMESITE (server config). Default is lax for OIDC compatibility; strict can break cross-site callbacks. Use none only for explicit cross-site/embed cases over HTTPS.

http:// OIDC discovery URLs are deprecated and will be removed in v1.6.0. When the discovery URL uses http:, drydock passes allowInsecureRequests to the OIDC client. Migrate your IdP to HTTPS before upgrading.

If your provider uses a private/self-signed CA, the quickest container-level workaround is NODE_EXTRA_CA_CERTS=/path/to/ca.pem. Drydock now also supports OIDC-scoped TLS settings with DD_AUTH_OIDC_{auth_name}_CAFILE and DD_AUTH_OIDC_{auth_name}_INSECURE.

DD_AUTH_OIDC_{auth_name}_INSECURE=true disables TLS certificate verification for OIDC HTTPS calls (discovery, token, userinfo, JWKS). Use only for local/dev troubleshooting.

Redirect URL validation — Drydock validates all OIDC authorization redirect URLs against an allowlist derived from the configured callback URL origin. This prevents open redirect attacks through crafted callback parameters. No configuration is needed — validation is enforced automatically.

OIDC logout URL resolution — drydock first tries the provider discovery end_session_endpoint. If it is missing, you can set DD_AUTH_OIDC_{auth_name}_LOGOUTURL when your provider (or proxy) exposes a logout URL outside discovery metadata. If neither is available, POST /auth/logout only destroys the local drydock session.

How to integrate with Authelia

logo

Configure an Openid Client for drydock in Authelia configuration.yml (see official authelia documentation)

identity_providers:
  oidc:
    hmac_secret: <a-very-long-string>
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      # <Generate & paste here an RSA private key>
      -----END RSA PRIVATE KEY-----    
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    clients:
      - client_id: my-drydock-client-id
        client_name: drydock openid client
        client_secret: this-is-a-very-secure-secret
        public: false
        authorization_policy: one_factor
        audience: []
        scopes:
          - openid
          - profile
          - email
        redirect_uris:
          - https://<your_drydock_public_domain>/auth/oidc/authelia/cb
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none

Configure drydock

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
      - DD_AUTH_OIDC_AUTHELIA_CLIENTID=my-drydock-client-id
      - DD_AUTH_OIDC_AUTHELIA_CLIENTSECRET=this-is-a-very-secure-secret
      - DD_AUTH_OIDC_AUTHELIA_DISCOVERY=https://<your_authelia_public_domain>/.well-known/openid-configuration

docker run \
  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
  -e DD_AUTH_OIDC_AUTHELIA_CLIENTID="my-drydock-client-id" \
  -e DD_AUTH_OIDC_AUTHELIA_CLIENTSECRET="this-is-a-very-secure-secret" \
  -e DD_AUTH_OIDC_AUTHELIA_DISCOVERY="https://<your_authelia_public_domain>/.well-known/openid-configuration" \
  ...
  codeswhat/drydock

How to integrate with Auth0

logo

Create an application (Regular Web Application)

Allowed Callback URLs: https://<your_drydock_public_domain>/auth/oidc/auth0/cb

Configure drydock

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
      - DD_AUTH_OIDC_AUTH0_CLIENTID=<paste the Client ID from auth0 application settings>
      - DD_AUTH_OIDC_AUTH0_CLIENTSECRET=<paste the Client Secret from auth0 application settings>
      - DD_AUTH_OIDC_AUTH0_DISCOVERY=https://<paste the domain from auth0 application settings>/.well-known/openid-configuration

docker run \
  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
  -e DD_AUTH_OIDC_AUTH0_CLIENTID="<paste the Client ID from auth0 application settings>" \
  -e DD_AUTH_OIDC_AUTH0_CLIENTSECRET="<paste the Client Secret from auth0 application settings>" \
  -e DD_AUTH_OIDC_AUTH0_DISCOVERY="https://<paste the domain from auth0 application settings>/.well-known/openid-configuration" \
  ...
  codeswhat/drydock

How to integrate with Authentik

logo

On Authentik, create a provider with type `Oauth2/OpenID` (or configure an existing one)

Important values

Client Type: Confidential
Client ID: <generated value>
Client Secret: <generated value>
Redirect URIs/Origins: https://<your_drydock_public_domain>/auth/oidc/authentik/cb
Scopes: email, openid, profile

On Authentik, create an application associated to the previously created provider

Configure drydock

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
      - DD_AUTH_OIDC_AUTHENTIK_CLIENTID=<paste the Client ID from authentik drydock_oidc provider>
      - DD_AUTH_OIDC_AUTHENTIK_CLIENTSECRET=<paste the Client Secret from authentik drydock_oidc provider>
      - DD_AUTH_OIDC_AUTHENTIK_DISCOVERY=<authentik_url>/application/o/<authentik_application_name>/.well-known/openid-configuration
      - DD_AUTH_OIDC_AUTHENTIK_REDIRECT=true # optional (to skip internal login page)

docker run \
  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
  -e DD_AUTH_OIDC_AUTHENTIK_CLIENTID="<paste the Client ID from authentik drydock_oidc provider>" \
  -e DD_AUTH_OIDC_AUTHENTIK_CLIENTSECRET="<paste the Client Secret from authentik drydock_oidc provider>" \
  -e DD_AUTH_OIDC_AUTHENTIK_DISCOVERY="<authentik_url>/application/o/<authentik_application_name>/.well-known/openid-configuration" \
  -e DD_AUTH_OIDC_AUTHENTIK_REDIRECT=true # optional (to skip internal login page) \
  ...
  codeswhat/drydock

Authentik token encryption — In the Authentik provider's Advanced protocol settings, ensure the Encryption Key is unset ("Select an encryption key..."). Drydock does not support JWE (encrypted) tokens. If an encryption key is selected, Authentik will encrypt the ID token and Drydock will fail to validate it.

Self-signed certificates — If your Authentik instance uses a self-signed certificate, use DD_AUTH_OIDC_AUTHENTIK_INSECURE=true to skip TLS verification for OIDC calls only (does not affect registry or webhook TLS). Alternatively, mount the CA certificate and use DD_AUTH_OIDC_AUTHENTIK_CAFILE=/path/to/ca.pem. For the CAFILE approach, ensure the PEM file contains the full certificate chain (not just the leaf certificate).

How to integrate with Dex

Dex does not currently advertise end_session_endpoint in discovery metadata. Without an explicit DD_AUTH_OIDC_DEX_LOGOUTURL, POST /auth/logout clears only the local drydock session.

Set DD_AUTH_OIDC_DEX_LOGOUTURL only if you have a real IdP logout endpoint in front of Dex (for example, via your auth proxy/portal). If you do not, keep it unset and expect local-session logout only.

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
      - DD_AUTH_OIDC_DEX_CLIENTID=<dex_client_id>
      - DD_AUTH_OIDC_DEX_CLIENTSECRET=<dex_client_secret>
      - DD_AUTH_OIDC_DEX_DISCOVERY=https://<your_dex_public_domain>/dex/.well-known/openid-configuration
      # Optional: only when a real IdP logout endpoint exists
      # - DD_AUTH_OIDC_DEX_LOGOUTURL=https://<your_logout_endpoint>

docker run \
  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
  -e DD_AUTH_OIDC_DEX_CLIENTID="<dex_client_id>" \
  -e DD_AUTH_OIDC_DEX_CLIENTSECRET="<dex_client_secret>" \
  -e DD_AUTH_OIDC_DEX_DISCOVERY="https://<your_dex_public_domain>/dex/.well-known/openid-configuration" \
  ...
  codeswhat/drydock

Optional (only when a real IdP logout endpoint exists):

-e DD_AUTH_OIDC_DEX_LOGOUTURL="https://<your_logout_endpoint>"

Openid Connect Authentication

Configure an Openid Client for drydock in Authelia configuration.yml (see official authelia documentation)

On this page