Tindra
GitHub Sign in
Authentication

Authentication

Tindra supports password login and OAuth/OIDC single sign-on.

Password login

Enabled by default. Users sign in with email and password. Password login is automatically disabled when any OAuth provider is configured.

OAuth providers

Configure SSO by setting the appropriate environment variables. Tindra supports these providers natively:

  • GitHub
  • Google
  • Microsoft (Azure AD / Entra)
  • Auth0
  • Zitadel
  • Any generic OIDC provider

GitHub

GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret

Create an OAuth app at github.com/settings/developers. Set the callback URL to https://your-hostname/auth/github/callback.

Google

GOOGLE_CLIENT_ID=your-client-id
GOOGLE_CLIENT_SECRET=your-client-secret

Create credentials at console.cloud.google.com. Set the authorized redirect URI to https://your-hostname/auth/google/callback.

Microsoft

MICROSOFT_CLIENT_ID=your-client-id
MICROSOFT_CLIENT_SECRET=your-client-secret
MICROSOFT_TENANT=your-tenant-id

Register an app in the Azure portal. Set the redirect URI to https://your-hostname/auth/microsoft/callback.

Auth0

AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=your-client-id
AUTH0_CLIENT_SECRET=your-client-secret

Zitadel

ZITADEL_ISSUER_URL=https://your-instance.zitadel.cloud
ZITADEL_CLIENT_ID=your-client-id
ZITADEL_CLIENT_SECRET=your-client-secret

Generic OIDC

For any other OIDC-compliant provider:

OIDC_ISSUER_URL=https://your-provider.example.com
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_PROVIDER_NAME=my-provider

The issuer URL must expose a discovery document at /.well-known/openid-configuration. OIDC_PROVIDER_NAME is optional and controls the label shown on the login button.

New user provisioning

When a user signs in via OAuth for the first time, Tindra automatically creates an account for them. No invitation required. Password is not set on OAuth-created accounts.

First user gets all permissions

Whoever registers or signs in first gets all permissions automatically: manage projects, manage users, manage alerts, manage issues. There is no hardcoded admin account. Sign up, and you are the admin.

Disabling password login

When any OAuth provider is configured, password login is disabled automatically. The login page shows only the configured OAuth buttons.

Multiple providers

You can configure more than one OAuth provider at the same time. All configured providers appear as buttons on the login page.