Jaws Deploy Stack supports OIDC for user authentication. Once configured, the login page redirects to your identity provider; Stack reads the returned claims to identify the user and (optionally) map group claims to Stack permissions.
Configuration shape
OIDC settings live in config.yaml under the auth.oidc section. The five values you need from your provider: issuer URL, client ID, client secret, the scopes to request, and the claim names for username/email/groups.
OIDC against Microsoft Entra ID
Replace tenant ID and client values with yours. Register the redirect URI https://deploy.acme.internal/auth/oidc/callback in Entra.
auth:
oidc:
enabled: true
issuer: "https://login.microsoftonline.com/<tenant-id>/v2.0"
clientId: "<client-id>"
clientSecret: "<client-secret>"
scopes: ["openid", "profile", "email", "groups"]
claims:
username: "preferred_username"
email: "email"
groups: "groups"
groupRoleMapping:
"deploy-admins": "admin"
"deploy-engineers":"deployer"
"deploy-readonly": "viewer"Group-to-role mapping
The groupRoleMapping block translates IdP group claims into Stack roles. Users with the deploy-admins group become admins; users with deploy-engineers get deployer rights; others fall to viewer. Users not in any mapped group get no Stack access at all.