explaingit

otso2200/oai-team-sso-oidc

Analysis updated 2026-05-18

15GoAudience · ops devopsComplexity · 4/5LicenseSetup · moderate

TLDR

A lightweight self hosted OpenID Connect provider that lets a company connect OpenAI Business Custom OIDC SSO to its own email domain login rules.

Mindmap

mindmap
  root((OIDC SSO))
    What it does
      OIDC provider
      For OpenAI SSO
      Checks email domain
    Tech stack
      Go
      Docker
      RSA keys
    Use cases
      Enterprise login
      Domain restriction
      Optional passcode
    Audience
      Ops teams
      Admins
    Setup
      Env vars
      Docker compose
      GHCR image

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Give employees a working Custom OIDC login for OpenAI Business without building an identity provider from scratch.

USE CASE 2

Restrict who can sign in to OpenAI Business by allowed email domain.

USE CASE 3

Add an optional passcode or Turnstile bot check in front of the login page.

USE CASE 4

Run the login service in Docker with an auto built container image.

What is it built with?

GoDockerOIDCJWTCloudflare Turnstile

How does it compare?

otso2200/oai-team-sso-oidcbunnymq/bunnymqikeilo/oci-lifecycle-platform
Stars151515
LanguageGoGoGo
Setup difficultymoderatehardmoderate
Complexity4/55/54/5
Audienceops devopsops devopsops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 1h+

Requires configuring OpenAI's Custom OIDC admin portal with a matching issuer, client ID and secret, and redirect URIs.

Apache License 2.0: free to use, modify, and distribute, including commercially, as long as you keep the copyright and license notices and note any changes made.

In plain English

OpenaiTemsSsoOidc is a small, self hosted OpenID Connect provider built to give a company a working Custom OIDC single sign on connection to OpenAI Business accounts. The idea is to use as few moving parts as possible to cover the basic enterprise login path: OpenAI sends a user to this service, the service checks that the person's email domain is allowed and, if turned on, asks for a login passcode, then it hands back an OIDC compatible authorization code, access token, ID token, and user profile information. The service exposes the standard OIDC endpoints: a discovery document at /.well-known/openid-configuration, a public key list at /.well-known/jwks.json, a login page at /oauth2/authorize, a token exchange endpoint at /oauth2/token, and a user info endpoint at /oauth2/userinfo. It can prefill the email field when OpenAI passes a login hint, email, or username, and it can lock the email prefix and domain so the user cannot change them in the browser, though the server still checks the domain again on its own side. An optional login passcode can be required, stored as plain text, bcrypt, sha256, or sha512, and an optional Cloudflare Turnstile check can be placed in front of the login form. To run it, you copy the example environment file to .env, then set required values such as the public issuer URL, OIDC client ID and secret, allowed redirect addresses, allowed email domains, and the path to the RSA signing key, which the service can generate itself if none exists. You can start it directly with go run, or build and run it as a Docker container, including a ready made docker compose file. A GitHub Actions workflow is included that builds and publishes a container image to GitHub Container Registry automatically on pushes to main or on version tags. The project is written in Go, has 15 stars, and is released under the Apache License 2.0. The README is aimed at someone setting up enterprise login for OpenAI Business, so it assumes some familiarity with running backend services and Docker.

Copy-paste prompts

Prompt 1
Help me set the required environment variables in .env for OpenaiTemsSsoOidc, including PUBLIC_ISSUER, OIDC_CLIENT_ID, and ALLOWED_EMAIL_DOMAINS.
Prompt 2
Walk me through configuring OpenAI's Custom OIDC admin portal to point at my OpenaiTemsSsoOidc issuer, discovery, and token endpoints.
Prompt 3
Show me how to enable a login passcode with a bcrypt hash for OpenaiTemsSsoOidc.
Prompt 4
Help me write a docker compose override to run OpenaiTemsSsoOidc with a custom image tag.

Frequently asked questions

What is oai-team-sso-oidc?

A lightweight self hosted OpenID Connect provider that lets a company connect OpenAI Business Custom OIDC SSO to its own email domain login rules.

What language is oai-team-sso-oidc written in?

Mainly Go. The stack also includes Go, Docker, OIDC.

What license does oai-team-sso-oidc use?

Apache License 2.0: free to use, modify, and distribute, including commercially, as long as you keep the copyright and license notices and note any changes made.

How hard is oai-team-sso-oidc to set up?

Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.

Who is oai-team-sso-oidc for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.