JetBrains Space Help

OpenID Connect Auth Module

OpenID Connect authentication module lets Space users log in to Space with the credentials that are stored in a specified third-party authentication service provider that supports OpenID Connect protocol. Such providers include (but not limited to):

The OpenID Connect module provides a quick and convenient way to set up third-party authentication with any of these services. It supports auto-discovery and will auto-fill most of the settings (endpoint fields) for you when you specify a discovery document URL from the identity provider.

When you confugure and enable the OpenID Connect module in Space:

  • Space users will be able to log in to Space with their account credentials from a specified third-party identity provider, such as GitLab or Microsoft.

  • Space users will have fewer accounts and passwords to remember.

  • New users with accounts in the connected service will be able create their own accounts in Space.

Configure and enable OpenID Connect authentication

To enable OpenID Connect authentication, configuration is required on both sides: the identity provider and Space. The actual setup procedure depends on the identity provider you're going to use, but usually involves the following general steps:

  1. Get a discovery document URL from your identity provider. It should point to a file with configuration metadata named .well-known/openid-configuration.

    To obtain the URL, refer to your identity provider's documentation, or look it up in our list of popular providers.

  2. In Space, start creating a new OpenID Connect auth module: go to Administration → Auth Modules → New Auth Module.

    Specify the discovery document URL. The endpoint fields will be populated automatically.

  3. On the identity provider side, set up an OpenID Connect service (application) using the redirect URI from the OpenID Connect module form in Space.

    A Client Secret and Client ID should be generated for authorizing your application.

  4. In Space, specify the Client Secret and Client ID generated by the identity provider.

    Save the settings and activate the newly created authentication module.

Example: Configure GitLab as OpenID Connect identity provider in Space

There are many OpenID Connect services you can use. In this example we'll configure GitLab to work with Space as an identity provider. This instruction assumes that you have an account with GitLab.

Provide the discovery document URL

  1. On the Space main menu, click administration.png Administration and choose Auth Modules.

  2. Click New auth module. The New Auth Module dialog opens.

  3. From the Type drop-down list, select OpenID Connect.

  4. Click the link Discover OpenID Connect settings…:

  5. Copy the GitLab discovery document URL
    and paste it into the field then click Discover:


    The form fields will be auto-filled with the metadata retrieved from the discovery file.

Get the Redirect URI

  • Scroll down the form and copy the Redirect URI which is located under the Client ID field:


    You will need it later on.

Set up a new OAuth application in GitLab

  1. In a new browser tab or window, sign in to your GitLab account.

  2. Navigate to User Settings → Applications → New Application.

  3. Give your application a meaningfull name (e.g. Space Authentication) and provide the Redirect URI that you have obtained from Space.

  4. Scroll down the form and select the following checkboxes:

    • openid

    • profile

    • email


    Leave the rest of the settings as is and click Save Application.

    A page with your application ID and secret will be displayed:


Provide GitLab-generated ID and secret to Space

  • Copy the Application ID and Secret from your application page on GitLab and paste them to the Client ID and Client secret field on your Space Auth module form respectively:


Complete the set up and enable the module

  1. You can optionally enable the following settings:

    • User registration

      On — Accounts in the Space organization will be created automatically for unregistered users who log in using Google authentication module.

      Off — Google logins will be only available to users who already have an account in the Space organization.

    • Restrict authentication to users with email addresses from the specified domains

      When enabled, only the users with email addresses from the domain(s) you specified will be able to log in.

      Specify one or more allowed domains, e.g. or

  2. To save your settings and complete the setup, click Create.

  3. To enable the module turn its status to Active (on top of the form).

Last modified: 08 February 2024