Enabling Authentication
This guide covers the step-by-step process to enable and configure authentication in Obot. Authentication must be setup to use one of the external providers in order to function properly. The bootstrap user is not implemented to operate as a regular user.
Overview
By default, Obot runs without authentication in development mode. For production deployments, you'll need to:
- Set the authentication environment variable
- Login using the bootstrap token
- Configure your authentication provider
- Configure admins/owners
- Restart the system
Step 1: Enable Authentication
Docker/Compose Deployment
Set the environment variable in your deployment:
OBOT_SERVER_ENABLE_AUTHENTICATION=true
Kubernetes Deployment
Add the environment variable to your Helm values:
config:
OBOT_SERVER_ENABLE_AUTHENTICATION: "true"
Step 2: Login with Bootstrap Token
When Obot starts with authentication enabled for the first time, it generates a bootstrap token that's printed to the console logs.
Finding the Bootstrap Token
Docker/Compose:
# Check the container logs
docker logs <container-name>
Kubernetes:
# Check pod logs
kubectl logs <pod-name>
Using the Bootstrap Token
- Navigate to your Obot installation
- Use the bootstrap token to login as an admin user
- You can now access the Admin interface to configure authentication
You can set a custom bootstrap token using the OBOT_BOOTSTRAP_TOKEN environment variable instead of using the auto-generated one.
Step 3: Configure Authentication Provider
Once logged in with the bootstrap token:
- Go to Admin → Auth Providers
- Click Add Provider
- Select your desired provider (GitHub, Google, Entra, Okta)
- Follow the provider-specific configuration steps
For detailed provider configuration, see the Auth Providers documentation.
Step 4: Set Admin/Owner Users and Restart
Logout of Obot and configure the following.
Set Admin/Owner Environment Variables
Docker/Compose:
# Set admin users (comma-separated email addresses)
[email protected],[email protected]
# Set owner users (comma-separated email addresses)
[email protected]
Kubernetes:
config:
OBOT_SERVER_AUTH_ADMIN_EMAILS: "[email protected],[email protected]"
OBOT_SERVER_AUTH_OWNER_EMAILS: "[email protected]"
Restart Obot
After setting the environment variables, restart your Obot deployment:
Docker/Compose:
docker restart <container>
Kubernetes:
helm upgrade <release-name> <chart-name> -f values.yaml
Post-Setup
After restart:
- The bootstrap token will no longer be valid
- Users can now login using the configured authentication provider
- Users with emails matching
OBOT_SERVER_AUTH_ADMIN_EMAILSwill automatically have admin access - Users with emails matching
OBOT_SERVER_AUTH_OWNER_EMAILSwill automatically have owner access
Troubleshooting
Bootstrap Token Not Working
- Ensure
OBOT_SERVER_ENABLE_AUTHENTICATION=trueis set - Check that you're using the correct token from the logs
- If Auth Provider has been configured, you need to set
OBOT_SERVER_FORCE_ENABLE_BOOTSTRAP=true
Authentication Provider Issues
- Verify callback URLs match between Obot and your OAuth provider
- Check that client ID and secret are correct
- Ensure proper scopes and permissions are configured
Next Steps
- Review Auth Providers configuration for detailed provider setup
- Configure OAuth settings for additional customization
- Set up proper access control with email domain restrictions