YouTrack Cloud 2026.1 Help

OpenID Connect Auth Module

Starting with YouTrack 2026.1, OpenID Connect authentication modules replace OpenID 2.0 authentication modules.

Enable OpenID Connect Authentication

To allow users to sign in to YouTrack with OpenID Connect, enable an OpenID Connect authentication module.

To enable OpenID Connect authentication:

  1. From the main navigation menu, select Auth Modules.

  2. Click the New module button.

    • The Select an identity provider dialog opens.

      Select an identity provider

  3. In the Select an identity provider dialog, select OpenID Connect.

    • The Configure Login with OpenID Connect wizard opens.

  4. Specify the Auth module name and OIDC URL, then click Next.

    Wizard step for Auth module name and OIDC URL.

    When you enter the identity provider URL, YouTrack attempts to discover the provider configuration automatically.

    If discovery fails, you can fill in the required information manually after the module is created. To proceed, select I will provide the configuration manually later and click Next.

    Wizard step when OIDC configuration discovery failed.

  5. Copy the generated redirect URI.

    Wizard step to copy the redirect URI.

    Follow the instructions provided in the wizard to create the YouTrack app integration and register the redirect URI.

  6. Copy the Client ID and Client Secret from Okta and paste them into the Client ID and Client secret fields in YouTrack correspondingly.

    Wizard step for entering the Client ID and Client secret.

  7. Click Finish.

    The OpenID Connect authentication module is created and its configuration page opens.

To complete the setup:

  1. Review and configure optional settings for the authentication module. For more information, see Additional Settings.

  2. Click the Save button to apply the settings.

  3. Click the Enable button.

    • The OpenID Connect authentication module is enabled.

    • The auth module icon is added to the login dialog window. Users can click this icon to log in to YouTrack with their OpenID Connect credentials.

  4. To verify that the authentication module is configured correctly, click the Test login button.

    • YouTrack opens the authentication flow with the configured identity provider.

    • If you are authenticated successfully, the configuration is correct.

Settings

In the header of the settings page, you can find the general information about the authentication module.

Setting

Description

Name

Stores the name of the authentication module. Use this setting to distinguish this module from other authentication modules in the Auth Modules list.

You can change the name of the authentication module using the Rename action. For more details, refer to Actions.

Accounts imported to YouTrack

Displays the number of users that have been imported to your YouTrack installation.

On the General Settings tab, you find the general settings for the authentication module. This includes the redirect URI that you used to register YouTrack in the authorization service and the input fields that store the Client ID and Client Secret.

Setting

Description

Set default

Designates the authentication module as the default for your installation. Only one authentication module can be set as the default at any time. If another module is currently set as the default, that state is cleared.

This option is only shown when the current authentication module is not designated as the default.

Clear default

Removes the authentication module as the default for your installation.

If none of the available authentication modules are designated as the default, unauthenticated users are always directed to the YouTrack login page.

This option is only shown when the current authentication module is designated as the default.

Redirect URI

Displays the authorized redirect URI used to register the connection to YouTrack in the authorization service.

Client ID

Stores the identifier that the authorization service uses to validate a login request. You generate this value in the authorization service when you configure the authorization settings for a web application and enter an authorized redirect URI.

Client Secret

Stores the secret or password used to validate the client ID. You generate this value in the authorization service together with the client ID.

Authorization URL

Stores the endpoint used to start the OAuth 2.0 authentication flow. YouTrack redirects the user to this URL to sign in with the connected identity provider.

Token URL

Stores the endpoint that YouTrack uses to exchange an authorization code for an access token.

JWKS URL

Stores an endpoint that returns the identity provider public keys (JWKS). YouTrack uses these keys to verify the signature of the identity token.

Scopes

A space-separated list of scopes YouTrack requests from the identity provider. Scopes determine which claim groups the identity provider returns.

Issuer

The expected issuer of the identity token. YouTrack uses this value to validate that the identity token was issued by the configured identity provider.

Logout URL

The URL YouTrack opens on logout to invalidate the identity provider session.

Attribute Mapping

The Attribute Mapping tab tells YouTrack which OpenID Connect claims should be used to identify a user and fill YouTrack user profile fields during sign-in.

Setting

Description

User identifier claim

Maps to the field that stores the value to copy to the User ID property in YouTrack.

User name claim

Maps to the field that stores the value to copy to the Username field in the YouTrack profile.

Full name claim

Maps to the field that stores the value to copy to the Full name field in the YouTrack profile.

Email claim

Maps to the field that stores the value to copy to the Email field in the YouTrack profile.

Email verified flag claim

Maps to the field that stores the value to copy to the verified email property in YouTrack.

Avatar URL claim

Maps to the field that stores the value to copy to the Avatar field in YouTrack.

Group membership claim

Maps to the attribute that stores group membership assignments by the connected identity provider. These can then be mapped to YouTrack groups on the Group Mapping tab.

Group Mapping

On the Group Mappings tab, you can map groups from the connected identity provider to groups in YouTrack.

When group mappings are configured, YouTrack checks for OpenID Connect group memberships when users log in with their OpenID Connect credentials. YouTrack performs the following operations for each OpenID Connect group that is mapped to a YouTrack group:

  • Users who are members of a mapped OpenID Connect group and are not members of the mapped YouTrack group are added to the group in YouTrack.

  • Users who are not members of a mapped OpenID Connect group and are members of the mapped YouTrack group are removed from the group in YouTrack.

Changes to OpenID Connect group memberships are only applied in YouTrack when users log in using their OpenID Connect credentials.

To map an OIDC group to a group in YouTrack:

  1. Open your OpenID Connect auth module.

  2. Select the Group Mapping tab.

  3. Click the Add mapping button.

  4. Enter the name of the OIDC group in the designated field and select the target group in YouTrack.

    Adding group mappings

  5. Click the Add button.

    • The mapping is added to the list.

    • Clicking the group name redirects you to the Groups | <Your Group Name> page

  6. Repeat steps 3 through 5 until you have mapped all the desired groups.

SCIM Provisioning

The OpenID Connect authentication module synchronizes user data only during login. When a user signs in, YouTrack reads the user attributes and group memberships that are returned by the identity provider. Changes made in the identity provider are not synchronized automatically while the user is inactive. For example, updates to user attributes or group memberships are applied only after the user signs in again.

To keep user accounts and groups synchronized automatically, configure SCIM provisioning in addition to OpenID Connect authentication. YouTrack supports SCIM 2.0 for user and group synchronization.

Use the following information to connect an external identity provisioning tool:

  • The SCIM endpoint URL for your YouTrack installation. This endpoint is:

    <youtrack-base-url>/hub/api/rest/scim2

    To locate the base URL for your YouTrack site, check the Server Configuration tab in the Global Settings. For additional information, see Domain Settings.

  • For authentication, use a permanent token. To learn how to generate a permanent token for your YouTrack account, see Manage Permanent Tokens.

To check whether SCIM is available for your YouTrack installation, access the following URL:

<youtrack-base-url>/api/rest/scim2/Schemas

Additional Settings

The settings on the Additional settings tab let you manage account creation and group membership and reduce the loss of processing resources consumed by idle connections.

Setting

Description

User creation

Enables creation of YouTrack accounts for unregistered users who log in with an account that is stored in the connected identity provider. YouTrack uses the email address to determine whether the user has an existing account.

Auto-join groups

Adds users to a group when they log in with an account that is stored in the connected identity provider. You can select one or more groups. New users that auto-join a group inherit all the permissions assigned to this group.

We recommend that you add users to at least one group. Otherwise, a new user is only granted the permissions that are currently assigned to the All Users group.

Extension grant type

Saves the value used to identify the authentication module when used for extension grants. If a value is provided, YouTrack will process requests to exchange access tokens that are issued by the authentication service for tokens that grant access to YouTrack.

To exchange access tokens successfully, the authentication module must be authorized in the third-party authentication service and enabled in YouTrack.

To learn how to exchange access tokens using the YouTrack REST API, see Extension Grants.

Connection timeout

Sets the period of time to wait to establish a connection to the identity provider. The default setting is 5000 milliseconds (5 seconds).

Read timeout

Sets the period of time to wait to read and retrieve user profile data from the identity provider. The default setting is 5000 milliseconds (5 seconds).

Actions

The following actions are available in the header:

Action

Description

Enable module

Enables the authentication module.

This option is only shown when the authentication module is currently disabled.

Disable module

Disables the authentication module.

This option is only shown when the authentication module is currently enabled.

Test login

Lets you enter a username and password to test the connection with the authentication service.

Rename

Lets you update the existing authentication module name and change its default icon.

You can find this action in the More options (...) menu.

Delete

Removes the authentication module from YouTrack. Use only when you have configured additional authentication modules that let users log into your YouTrack installation.

You can find this action in the More options (...) menu.

27 March 2026
OpenID 2.0 Auth ModuleOpenLDAP Auth Module