Summary
The Single sign-on feature, also known as SSO, allows you to:
- signup: register a new user using one of their social account
- signin: authenticate that user
Configuration
In the following example we set different providers: Azure, Github, Google and Facebook.
auth: {
connections: {
azure: {
strategy: 'li-authentication-openid-connect',
enabled: true,
loginEnabled: true,
registrationEnabled: false,
connectionId: 'azure',
issuer: 'https://login.microsoftonline.com/${tenantId}/v2.0/.well-known/openid-configuration',
config: {
clientId: '',
clientSecret: '',
// jwtContentFromSSOProvider is a openid-connect standard claim, for available properties see:
// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
extractGroupNames: async (jwtContentFromSSOProvider, groupsOfProject) => {
return ['owners']
},
// User will be created and logged into this project (enterprise use-case)
defaultProjectHandle: 'daily-planet' // alternative 'defaultProjectId: 1'
},
ui: {
label: 'AD',
icon: 'azure'
}
},
google: {
strategy: 'li-authentication-openid-connect',
enabled: false,
loginEnabled: true,
registrationEnabled: false,
connectionId: 'google',
issuer: 'https://accounts.google.com/.well-known/openid-configuration',
config: {
clientId: '',
clientSecret: '',
// jwtContentFromSSOProvider is a openid-connect standard claim, for available properties see:
// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
extractGroupNames: async (jwtContentFromSSOProvider, groupsOfProject) => {
return ['owners']
},
// User will be created and logged into this project (enterprise use-case)
defaultProjectHandle: 'daily-planet' // alternative 'defaultProjectId: 1'
},
ui: {
label: 'Google',
icon: 'google'
}
},
github: {
strategy: 'li-authentication-sso',
enabled: true,
loginEnabled: true,
registrationEnabled: true,
connectionId: 'github',
config: {
scope: 'user:email',
clientID: 'your-github-client-id',
clientSecret: 'your-github-client-secret'
},
ui: {
label: 'Github',
icon: 'github-circle'
}
},
google: {
strategy: 'li-authentication-sso',
enabled: true,
loginEnabled: true,
registrationEnabled: true,
connectionId: 'google',
config: {
scope: 'email',
clientID: 'your-google-client-id',
clientSecret: 'your-google-client-secret',
callbackURL: 'http://example.com/auth/google/callback'
},
ui: {
label: 'Google',
icon: 'google'
}
},
facebook: {
strategy: 'li-authentication-sso',
enabled: true,
loginEnabled: true,
registrationEnabled: true,
connectionId: 'facebook',
config: {
scope: 'email',
profileFields: ['email', 'displayName'],
clientID: 'your-facebook-client-id',
clientSecret: 'your-facebook-client-secret',
callbackURL: 'http://example.com/auth/facebook/callback'
},
ui: {
label: 'Facebook',
icon: 'facebook'
}
}
}
},
strategy- You should be building upon
li-authentication-openid-connectwhich builds upon theopenid-connect(OIDC) standard. OIDC extends OAuth 2.0 li-authentication-ssobuilds on OAuth 2.0
- You should be building upon
connectionIdis the provider handleconfigcan contain up to two “fixed” fields:scopeandcallbackURL, this is provider specific. The two other fields areclientIDandclientSecretyou can get those by creating an Oauth2 application at one of those external providers. For example to get those credentials from Github you have to go toSettings>Developer settingsand then click onNew Oauth App.uiis only used by the editor to “draw” the actual signin and signup buttons.
