Analysis updated 2026-05-18
Give employees a working Custom OIDC login for OpenAI Business without building an identity provider from scratch.
Restrict who can sign in to OpenAI Business by allowed email domain.
Add an optional passcode or Turnstile bot check in front of the login page.
Run the login service in Docker with an auto built container image.
| otso2200/oai-team-sso-oidc | bunnymq/bunnymq | ikeilo/oci-lifecycle-platform | |
|---|---|---|---|
| Stars | 15 | 15 | 15 |
| Language | Go | Go | Go |
| Setup difficulty | moderate | hard | moderate |
| Complexity | 4/5 | 5/5 | 4/5 |
| Audience | ops devops | ops devops | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Requires configuring OpenAI's Custom OIDC admin portal with a matching issuer, client ID and secret, and redirect URIs.
OpenaiTemsSsoOidc is a small, self hosted OpenID Connect provider built to give a company a working Custom OIDC single sign on connection to OpenAI Business accounts. The idea is to use as few moving parts as possible to cover the basic enterprise login path: OpenAI sends a user to this service, the service checks that the person's email domain is allowed and, if turned on, asks for a login passcode, then it hands back an OIDC compatible authorization code, access token, ID token, and user profile information. The service exposes the standard OIDC endpoints: a discovery document at /.well-known/openid-configuration, a public key list at /.well-known/jwks.json, a login page at /oauth2/authorize, a token exchange endpoint at /oauth2/token, and a user info endpoint at /oauth2/userinfo. It can prefill the email field when OpenAI passes a login hint, email, or username, and it can lock the email prefix and domain so the user cannot change them in the browser, though the server still checks the domain again on its own side. An optional login passcode can be required, stored as plain text, bcrypt, sha256, or sha512, and an optional Cloudflare Turnstile check can be placed in front of the login form. To run it, you copy the example environment file to .env, then set required values such as the public issuer URL, OIDC client ID and secret, allowed redirect addresses, allowed email domains, and the path to the RSA signing key, which the service can generate itself if none exists. You can start it directly with go run, or build and run it as a Docker container, including a ready made docker compose file. A GitHub Actions workflow is included that builds and publishes a container image to GitHub Container Registry automatically on pushes to main or on version tags. The project is written in Go, has 15 stars, and is released under the Apache License 2.0. The README is aimed at someone setting up enterprise login for OpenAI Business, so it assumes some familiarity with running backend services and Docker.
A lightweight self hosted OpenID Connect provider that lets a company connect OpenAI Business Custom OIDC SSO to its own email domain login rules.
Mainly Go. The stack also includes Go, Docker, OIDC.
Apache License 2.0: free to use, modify, and distribute, including commercially, as long as you keep the copyright and license notices and note any changes made.
Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.