From 2e7172b28b4274f8197181eb93f8d665210c4ce9 Mon Sep 17 00:00:00 2001
From: CL-Andrew <96407253+CL-Andrew@users.noreply.github.com>
Date: Mon, 30 Jun 2025 16:23:29 -0700
Subject: [PATCH 1/2] Add WebServer section for corenode OIDC configuration

---
 .../chainlink-nodes/v1/node-config.mdx        | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/src/content/chainlink-nodes/v1/node-config.mdx b/src/content/chainlink-nodes/v1/node-config.mdx
index 7bf28d12d5c..8ae3ed774db 100644
--- a/src/content/chainlink-nodes/v1/node-config.mdx
+++ b/src/content/chainlink-nodes/v1/node-config.mdx
@@ -905,6 +905,76 @@ UnauthenticatedPeriod = '20s' # Default
 
 UnauthenticatedPeriod defines the period to which unauthenticated requests get limited.
 
+## WebServer.OIDC
+
+```toml
+[WebServer.OIDC]
+ClientID = "abc123" # Example
+ProviderURL = "https://id.example.com/oauth2/default" # Example
+RedirectURL = "https://your-node.example.com/signin" # Default
+ClaimName = 'groups' # Default
+AdminClaim = 'NodeAdmins' # Default
+EditClaim = 'NodeEditors' # Default
+RunClaim = 'NodeRunners' # Default
+ReadClaim = 'NodeReadOnly' # Default
+SessionTimeout = '15m0s' # Default
+UserApiTokenEnabled = false # Default
+UserAPITokenDuration = '240h0m0s' # Default
+```
+
+Optional OIDC configuration (when `WebServer.AuthenticationMethod` is set to `oidc`) enables SSO via OpenID Connect. Register a new OIDC application with your identity provider to get a Client ID and Secret for the TOML fields. When OIDC is enabled, the chainlink node will redirect users to the provider and use the returned ID token for authentication and role assignment. The Client Secret should be populated in the your `secrets.toml` as follows:
+
+```toml
+[WebServer.OIDC]
+clientSecret = "secret" # Example
+```
+
+### ClientID
+
+`ClientID` is the identifier issued by your OIDC provider when registering the Chainlink node application. It represents the expected audience of the ID token. **Required**.
+
+### ProviderURL
+
+`ProviderURL` is the base issuer or discovery URL for your OIDC provider (e.g., the `.well-known/openid-configuration` endpoint). **Required**.
+
+### RedirectURL
+
+`RedirectURL` is the callback URL on the Chainlink node (this should be path: `/signin`) to which the IdP redirects after login. This must match the allowed redirect URIs configured in your IdP. **Required**.
+
+### ClaimName
+
+`ClaimName` specifies the JWT claim containing group or role information (default: `groups`). Change if your provider uses a different claim name.
+
+### AdminClaim
+
+`AdminClaim` is the claim value (within `ClaimName`) that maps to the Chainlink **Admin** role (default: `NodeAdmins`).
+
+### EditClaim
+
+`EditClaim` is the claim value that maps to the **Edit** role (default: `NodeEditors`).
+
+### RunClaim
+
+`RunClaim` is the claim value that maps to the **Run** role (default: `NodeRunners`).
+
+### ReadClaim
+
+`ReadClaim` is the claim value that maps to the **Read-Only** role (default: `NodeReadOnly`).
+
+### SessionTimeout
+
+`SessionTimeout` defines how long an OIDC session can remain idle before timing out (default: `15m0s`).
+
+### UserApiTokenEnabled
+
+`UserApiTokenEnabled` enables OIDC users to generate API tokens with the same permissions as their role (default: `false`).
+
+### UserAPITokenDuration
+
+`UserAPITokenDuration` sets the lifespan of API tokens issued by OIDC users (default: `240h0m0s`).
+
+> **Note:** Configure the OIDC client’s secret (`WebServer.OIDC.ClientSecret`) via the node’s secret management (e.g., environment variable `CL_WEB_SERVER_OIDC_CLIENT_SECRET`). Keep the client secret secure and do not expose it in plaintext configuration.
+
 ## WebServer.MFA
 
 ```toml

From 4123dfe36ae9d9f918d3603f5edff7bc06232cce Mon Sep 17 00:00:00 2001
From: Karim <98668332+khadni@users.noreply.github.com>
Date: Wed, 28 Jan 2026 16:28:15 -0500
Subject: [PATCH 2/2] llm txt gen

---
 src/content/chainlink-nodes/llms-full.txt | 70 +++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/src/content/chainlink-nodes/llms-full.txt b/src/content/chainlink-nodes/llms-full.txt
index 471148769cd..680f39054bc 100644
--- a/src/content/chainlink-nodes/llms-full.txt
+++ b/src/content/chainlink-nodes/llms-full.txt
@@ -5185,6 +5185,76 @@ UnauthenticatedPeriod = '20s' # Default
 
 UnauthenticatedPeriod defines the period to which unauthenticated requests get limited.
 
+## WebServer.OIDC
+
+```toml
+[WebServer.OIDC]
+ClientID = "abc123" # Example
+ProviderURL = "https://id.example.com/oauth2/default" # Example
+RedirectURL = "https://your-node.example.com/signin" # Default
+ClaimName = 'groups' # Default
+AdminClaim = 'NodeAdmins' # Default
+EditClaim = 'NodeEditors' # Default
+RunClaim = 'NodeRunners' # Default
+ReadClaim = 'NodeReadOnly' # Default
+SessionTimeout = '15m0s' # Default
+UserApiTokenEnabled = false # Default
+UserAPITokenDuration = '240h0m0s' # Default
+```
+
+Optional OIDC configuration (when `WebServer.AuthenticationMethod` is set to `oidc`) enables SSO via OpenID Connect. Register a new OIDC application with your identity provider to get a Client ID and Secret for the TOML fields. When OIDC is enabled, the chainlink node will redirect users to the provider and use the returned ID token for authentication and role assignment. The Client Secret should be populated in the your `secrets.toml` as follows:
+
+```toml
+[WebServer.OIDC]
+clientSecret = "secret" # Example
+```
+
+### ClientID
+
+`ClientID` is the identifier issued by your OIDC provider when registering the Chainlink node application. It represents the expected audience of the ID token. **Required**.
+
+### ProviderURL
+
+`ProviderURL` is the base issuer or discovery URL for your OIDC provider (e.g., the `.well-known/openid-configuration` endpoint). **Required**.
+
+### RedirectURL
+
+`RedirectURL` is the callback URL on the Chainlink node (this should be path: `/signin`) to which the IdP redirects after login. This must match the allowed redirect URIs configured in your IdP. **Required**.
+
+### ClaimName
+
+`ClaimName` specifies the JWT claim containing group or role information (default: `groups`). Change if your provider uses a different claim name.
+
+### AdminClaim
+
+`AdminClaim` is the claim value (within `ClaimName`) that maps to the Chainlink **Admin** role (default: `NodeAdmins`).
+
+### EditClaim
+
+`EditClaim` is the claim value that maps to the **Edit** role (default: `NodeEditors`).
+
+### RunClaim
+
+`RunClaim` is the claim value that maps to the **Run** role (default: `NodeRunners`).
+
+### ReadClaim
+
+`ReadClaim` is the claim value that maps to the **Read-Only** role (default: `NodeReadOnly`).
+
+### SessionTimeout
+
+`SessionTimeout` defines how long an OIDC session can remain idle before timing out (default: `15m0s`).
+
+### UserApiTokenEnabled
+
+`UserApiTokenEnabled` enables OIDC users to generate API tokens with the same permissions as their role (default: `false`).
+
+### UserAPITokenDuration
+
+`UserAPITokenDuration` sets the lifespan of API tokens issued by OIDC users (default: `240h0m0s`).
+
+> **Note:** Configure the OIDC client’s secret (`WebServer.OIDC.ClientSecret`) via the node’s secret management (e.g., environment variable `CL_WEB_SERVER_OIDC_CLIENT_SECRET`). Keep the client secret secure and do not expose it in plaintext configuration.
+
 ## WebServer.MFA
 
 ```toml