diff --git a/CHANGELOG.md b/CHANGELOG.md index 595bf46bc..a0350e8cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed +- Updated JumpCloud SSO documentation to clarify token endpoint authentication method requirement and AUTH_SECRET configuration. [#1022](https://github.com/sourcebot-dev/sourcebot/pull/1022) + ## [4.15.10] - 2026-03-20 ### Changed diff --git a/docs/docs/configuration/idp.mdx b/docs/docs/configuration/idp.mdx index 5abab2130..587b4333e 100644 --- a/docs/docs/configuration/idp.mdx +++ b/docs/docs/configuration/idp.mdx @@ -531,6 +531,7 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth When configuring your application: - Set the SSO type to "OIDC" + - Set the **Token Endpoint Authentication Method** to `client_secret_basic`. JumpCloud defaults to `client_secret_post`, but Sourcebot requires `client_secret_basic`. - Add `/api/auth/callback/jumpcloud` to the redirect URIs (ex. https://sourcebot.coolcorp.com/api/auth/callback/jumpcloud) - Set the login URL to `/login` @@ -539,6 +540,8 @@ A JumpCloud connection can be used for [authentication](/docs/configuration/auth The client id, secret, and issuer URL are provided to Sourcebot via environment variables. These can be named whatever you like (ex. `JUMPCLOUD_IDENTITY_PROVIDER_CLIENT_ID`, `JUMPCLOUD_IDENTITY_PROVIDER_CLIENT_SECRET`, and `JUMPCLOUD_IDENTITY_PROVIDER_ISSUER`) + + You must also set the `AUTH_SECRET` environment variable. Generate one with `openssl rand -base64 33` and pass it to your Sourcebot deployment. While `AUTH_SECRET` is auto-generated if not provided, it must be explicitly set for SSO to work reliably across restarts. Create a `identityProvider` object in the [config file](/docs/configuration/config-file) with the following fields: