Skip to main content

Overview

OAuth2 provides flexible authentication for identity providers that don’t support OpenID Connect (OIDC). While OIDC is recommended when available, OAuth2 allows you to integrate with providers that only offer OAuth2 endpoints.

When to use OAuth2

Use OAuth2 instead of OIDC when:
  • Your identity provider doesn’t support OIDC
  • You need custom user attribute mapping
  • You’re integrating with legacy authentication systems
  • Your provider requires non-standard OAuth2 flows
If your provider supports OIDC, use the OIDC configuration instead. OIDC provides standardized user information and better security.

Configuration via admin UI

1

Navigate to SSO providers

Go to Admin → SSO Providers in your dashboard
2

Add OAuth2 provider

Click “Add Provider” and select “OAuth2” as the provider type
3

Enter basic information

Provider name: GitHub
Provider ID: github
Enabled: Yes
4

Configure OAuth2 settings

Authorization URL: https://github.com/login/oauth/authorize
Token URL: https://github.com/login/oauth/access_token
User info URL: https://api.github.com/user
Client ID: your-client-id
Client secret: your-client-secret
Scopes: user:email
5

Configure attribute mapping

Map OAuth2 response fields to user attributes
6

Save and test

Save the configuration and test the login flow

Required configuration fields

FieldDescriptionRequiredExample
Authorization URLOAuth2 authorization endpointYeshttps://provider.com/oauth/authorize
Token URLOAuth2 token exchange endpointYeshttps://provider.com/oauth/token
User info URLEndpoint to fetch user profileYeshttps://provider.com/api/user
Client IDOAuth2 client identifierYesabc123xyz
Client secretOAuth2 client secretYessecret_abc123
ScopesSpace-separated OAuth2 scopesNouser:email profile

Provider-specific guides

GitHub

1

Create OAuth App

  1. Go to GitHub Settings
  2. Click “OAuth Apps” → “New OAuth App”
  3. Fill in application details
2

Configure callback URL

Authorization callback URL: https://your-domain.com/auth/callback/github
3

Get credentials

Copy the Client ID and generate a Client secret
4

Configure in admin UI

Authorization URL: https://github.com/login/oauth/authorize
Token URL: https://github.com/login/oauth/access_token
User info URL: https://api.github.com/user
Client ID: [your-client-id]
Client secret: [your-client-secret]
Scopes: user:email
5

Configure attribute mapping

{
  "email": "email",
  "name": "name",
  "avatar": "avatar_url",
  "username": "login"
}
GitHub requires the user:email scope to access the user’s email address. Without this scope, email will not be available.

GitLab

1

Create OAuth application

  1. Go to GitLab → User Settings → Applications
  2. Click “Add new application”
  3. Enter application details
2

Configure scopes and redirect URI

Redirect URI: https://your-domain.com/auth/callback/gitlab
Scopes: read_user, email
3

Save and get credentials

Copy the Application ID and Secret
4

Configure in admin UI

Authorization URL: https://gitlab.com/oauth/authorize
Token URL: https://gitlab.com/oauth/token
User info URL: https://gitlab.com/api/v4/user
Client ID: [application-id]
Client secret: [secret]
Scopes: read_user email
5

Configure attribute mapping

{
  "email": "email",
  "name": "name",
  "avatar": "avatar_url",
  "username": "username"
}

Slack

1

Create Slack app

  1. Go to Slack API
  2. Click “Create New App”
  3. Choose “From scratch”
  4. Enter app name and workspace
2

Configure OAuth & Permissions

  1. Go to “OAuth & Permissions”
  2. Add redirect URL:
https://your-domain.com/auth/callback/slack
3

Add OAuth scopes

Under “User Token Scopes”, add:
users:read
users:read.email
4

Get credentials

Go to “Basic Information” and copy:
  • Client ID
  • Client Secret
5

Configure in admin UI

Authorization URL: https://slack.com/oauth/v2/authorize
Token URL: https://slack.com/api/oauth.v2.access
User info URL: https://slack.com/api/users.identity
Client ID: [client-id]
Client secret: [client-secret]
Scopes: users:read users:read.email
6

Configure attribute mapping

{
  "email": "user.email",
  "name": "user.name",
  "avatar": "user.image_192"
}

Discord

1

Create Discord application

  1. Go to Discord Developer Portal
  2. Click “New Application”
  3. Enter application name
2

Configure OAuth2

  1. Go to OAuth2 settings
  2. Add redirect:
https://your-domain.com/auth/callback/discord
3

Get credentials

Copy the Client ID and Client Secret from the OAuth2 page
4

Configure in admin UI

Authorization URL: https://discord.com/api/oauth2/authorize
Token URL: https://discord.com/api/oauth2/token
User info URL: https://discord.com/api/users/@me
Client ID: [client-id]
Client secret: [client-secret]
Scopes: identify email
5

Configure attribute mapping

{
  "email": "email",
  "name": "username",
  "avatar": "avatar",
  "discriminator": "discriminator"
}

Attribute mapping

OAuth2 providers return user information in different formats. Configure attribute mapping to extract user data from the provider’s response.

Common mapping patterns

Provider FieldApplication FieldDescription
emailEmailUser’s email address
nameFull nameUser’s display name
given_nameFirst nameUser’s first name
family_nameLast nameUser’s last name
picture or avatar_urlAvatar URLUser’s profile picture
login or usernameUsernameUser’s username

Nested attributes

For nested JSON responses, use dot notation: 
{
  "email": "user.email",
  "name": "user.profile.name",
  "avatar": "user.profile.image.url"
}

Array attributes

For array values, specify the index: 
{
  "email": "emails[0].value"
}

OAuth2 scopes

Scopes determine what user information your application can access. Common scopes include:
ScopeDescriptionProviders
emailAccess to user’s email addressMost providers
profileAccess to basic profile informationMost providers
user:emailAccess to email (GitHub-specific)GitHub
read_userRead user informationGitLab
identifyBasic user informationDiscord
users:readRead user dataSlack
Only request the scopes you need. Requesting excessive permissions may cause users to deny authorization.

Redirect URI format

The redirect URI (callback URL) follows this pattern: 
https://[your-domain]/auth/callback/[provider-id]
Examples:
  • https://app.example.com/auth/callback/github
  • https://app.example.com/auth/callback/gitlab
  • https://app.example.com/auth/callback/slack

Token handling

Access tokens

OAuth2 access tokens are used to authenticate API requests to the provider. The application:
  • Exchanges the authorization code for an access token
  • Uses the access token to fetch user information
  • Stores the token for future API calls (optional)

Refresh tokens

Some providers issue refresh tokens for long-lived access. Configure the offline_access or equivalent scope to request refresh tokens.

Token expiration

Access tokens typically expire after a short period (1 hour to 24 hours). The application handles token refresh automatically when refresh tokens are available.

Troubleshooting

Invalid redirect URI

Problem: Provider rejects the redirect URI Solution:
  • Verify the redirect URI exactly matches in both systems
  • Check for trailing slashes or protocol mismatches
  • Ensure the provider ID in the URL matches your configuration
  • Some providers require exact URL matching (including query parameters)

Missing email address

Problem: User email is not populated after login Solution:
  • Verify you’re requesting the correct scope for email access
  • Check that the user has a verified email in their provider account
  • Review the user info response in audit logs
  • Update attribute mapping to match the provider’s response format

Scope not granted

Problem: Provider doesn’t grant requested scopes Solution:
  • Verify the scopes are valid for your provider
  • Check that your OAuth application is approved for the requested scopes
  • Some scopes require additional provider configuration or approval
  • Review provider documentation for scope requirements

User info endpoint fails

Problem: Cannot fetch user information after authentication Solution:
  • Verify the user info URL is correct
  • Check that the access token is being sent correctly
  • Review the provider’s API documentation for authentication requirements
  • Some providers require specific headers (e.g., Accept: application/json)

Security best practices

Always use HTTPS for redirect URIs. OAuth2 over HTTP is insecure.
The application automatically validates the state parameter to prevent CSRF attacks.
Regularly rotate your client secrets and update them in the admin UI.
Only request the scopes necessary for your application’s functionality.
Access tokens are encrypted in the database. Never log or expose tokens in client-side code.

Advanced configuration

Custom headers

Some providers require custom headers for the user info request. Contact support if you need to configure custom headers.

Token endpoint authentication

The application supports multiple token endpoint authentication methods:
  • client_secret_post (default): Send credentials in request body
  • client_secret_basic: Send credentials in Authorization header

PKCE support

Proof Key for Code Exchange (PKCE) is automatically enabled for enhanced security on supported providers.

Next steps

OIDC setup

Use OIDC for providers that support it

Role mapping

Configure automatic role assignment

User management

Manage users and their connected accounts

Audit logging

Monitor OAuth2 authentication events