Use an External OIDC Identity Provider

We support only the OpenID Connect (OIDC) Identity Providers that expose the OpenID configuration document (for example, Google, Okta, or Auth0).

To find out whether your OIDC Identity Provider does that, check whether the following URL exists:


For users of GoodData Cloud, please note that not all OIDC providers are available by default, see Supported OIDC Identity Providers in GoodData Cloud.

Set up an OAuth2 Client

Note that the exact procedure depends on the client you are using.


  1. Create an OAuth2 client with the following configuration:

    • Callback URL: https://<organization-hostname>/login/oauth2/code/<organization-hostname>
    • Grant types:
      • Implicit
      • Authorization code
      • Refresh token
    • Claims:
      • name
      • openid
      • profile
      • offline_access
  2. Ensure your OIDC Identity Provider advertises end_session_endpoint at the https://<your-issuer-url>/.well-known/openid-configuration endpoint.

    This is required to support the logout action in GoodData. If your OIDC Identity Provider supports CORS configuration, add the URL of the Organization’s endpoint URL to the configuration.

  3. When the OAuth2 client is created, follow the Update the OIDC Settings of the organization guide to copy and store the following parameters:

    • The client ID
    • The client secret

Update the OIDC Settings of the Organization

Use the following template to create an API request for updating the OIDC settings of the Organization:

curl --request PUT \
  --header "Authorization: Bearer $API_TOKEN" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
  "data": {
    "id": "alpha",
    "type": "organization",
    "attributes": {
      "name": "Alpha Corp.",
      "hostname": "",
      "oauthIssuerLocation": "https://<your-issuer-url>",
      "oauthClientId": "<your-client-id>",
      "oauthClientSecret": "<your-client-secret>"
}'  $HOST_URL/api/v1/entities/admin/organizations/alpha

Example: A sample API request for setting up authentication with the Auth0 Identity Provider

curl --request PUT \
  --header "Authorization: Bearer $API_TOKEN" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  --data '{
  "data": {
    "id": "alpha",
    "type": "organization",
    "attributes": {
      "name": "Alpha Corp.",
      "hostname": "",
      "oauthIssuerLocation": "",
      "oauthClientId": "abcdefghijklmnopqrstuvwxyz0123",
      "oauthClientSecret": "abcdefghijklmno-ABCDEFGHIJKLMNOPQRS-abcdefghi_ABCDEFG"
}'  $HOST_URL/api/v1/entities/admin/organizations/alpha

Once you have updated the OIDC settings, map the users stored in the Identity Provider to your Organization.

Supported OIDC Identity Providers in GoodData Cloud

By default GoodData Cloud supports the following OIDC providers:

If you want to use a different provider, it must be specifically whitelisted first. To request a whitelisting of another OIDC provider, please contact GoodData support.

By default GoodData Cloud uses the Auth0 OIDC identity provider.


You can invite new users to your organization, as long as your organization has the ManagedOIDC entitlement. The following things happen when you invite someone:

  • User is created in the default Auth0 identity provider. Note that if your organization has the ManagedOIDC entitlement, you are necessarily using Auth0.
  • The user is assigned to the organization.
  • The user is assigned Organization.MANAGE permission.

To invite new user to your organization:


Click on the Invite button, fill in the email of the person you wish to invite and click Invite to confirm the invitation.

Invite button

An invitation will be sent to the email address you have put in.

Call the API endpoint /api/v1/actions/invite with the person’s email in the payload:

curl $HOST_URL/api/v1/actions/invite \
      -H "Content-Type: application/json" \
      -H "Accept: application/json" \
      -H "Authorization: Bearer $API_TOKEN" \
      -X POST \
      -d '{
        "data": {
          "email": ""

An invitation will be sent to the email address you have put in.

Note that if your organization does not have the ManagedOIDC entitlement, both the UI button and API will be unavailable.

Known limitations

If you are using one of the following OIDC identity providers, make note of their limitations when used together with GoodData.


Auth0 Issuer has a trailing slash in its configuration. When configuring the external OIDC provider for your organization, make sure that the oauthIssuerLocation value ends with a trailing slash, like Otherwise, the authentication will not work.

Known issues with Auth0 IdP:

  • Logout doesn’t work


Known issues with Google IdP:

  • Logout doesn’t work

Amazon Cognito

Amazon Congnito distorts state variable that GoodData sends during the OAuth2 flow. Redirect URL returned by Cognito is invalid and therefore Amazon Congnito can not be used as Identity Provider for GoodData.

Azure Active Directory

GoodData is not currently part of the Active Directory Marketplace, you will need to register it manually. To register GoodData with Azure Active Directory, we recommend you follow this guide.


Here are some common issues you may run into when using an OIDC, and how to address them.

Issues With Silent Login

If you block 3rd party cookies in your browser and the domain of GoodData is different from the domain of your application - most probably, a silent login will not work. You can fix that by putting GoodData on the same domain as your application (GoodData should be on a subdomain, for example, analytics.<your-domain>.com).

Also, if your application is running in a different domain than Identity Server, you can also have a problem with a silent login. It is possible to fix that by using Okta custom URL domain or Auth0 custom URL domain.


If you are using SalesForce as your OIDC provider, ensure that you have checked the Include Standard Claims option. Without this option, the provider will not provide the name claim in the ID token and the authentication will fail.

Include standard claims

Content Is blocked

When your user session times out, a session timeout overlay is displayed. When you click the Log in button some GoodData.CN users may get the following error message:

This content is blocked. Contact the site owner to fix the issue.

There is no easy fix available to Auth0 users at the moment. We have temporarily extended the inactivity timeout to 3 days and the required re-login to 7 days, for Auth0, to minimize the chances of this issue occuring.

If you are using a different OIDC, such as Okta or Cloud IAM, you can fix this issue by creating CSP directives to allow the blocked content from your OIDC identity provider. Ensure you have the following CSP directives configured:

curl -X POST -H "Authorization: Bearer <token>" \
    -H "Content-type: application/vnd.gooddata.api+json" $HOST_URL/api/v1/entities/cspDirectives \
    -d @data.json

where data.json contains the CSP directive allowing frame-src content from your OIDC identity provider:

    "data": {
        "id": "frame-src",
        "type": "cspDirective",
        "attributes": {
            "sources": [

Replace the <oidc-provider-hostname> with an appropriate URL. For example:

  • * for Okta
  • for Google