OAuth is an open standard for token-based authentication and authorization which is used to provide Single Sign-On (SSO). Bytebase supports popular OAuth 2.0 providers (GitHub, Google, GitLab) and custom providers.
Overview
In the creating SSO dialog, you need to fill following fields:
Basic information
- Name: the display name shown to your users (e.g.
GitHub
will be shown asSign in with GitHub
) - Identity Provider ID: a human-readable unique string, only lower-case alphabets and hyphens are allowed (e.g.
github
) - Domain: the domain name to scope associated users (e.g.
github.com
, optional)
Identity provider information
The information is the base concept of OAuth 2.0 (opens in a new tab) and comes from your provider.
- Client ID is a public identifier of the custom provider;
- Client Secret is the OAuth2 client secret from identity provider;
- Auth URL is the custom provider's OAuth2 login page address;
- Scopes is the scope parameter carried when accessing the OAuth2 URL, which is filled in according to the custom provider;
- Token URL is the API address for obtaining access token;
- User information URL is the API address for obtaining user information by access token;
- Auth style specifies how the endpoint wants the client ID & client secret sent.
- In params: The
client_id
andclient_secret
will be sending in the POST body as application/x-www-form-urlencoded parameters. - In header: The
client_id
andclient_secret
will be sending in HTTP Basic Authorization. This is an optional style described in the OAuth2 RFC 6749 section 2.3.1.
- In params: The
User information mapping
For different providers, the structures returned by their user information API are usually not the same. In order to know how to map the user information from an provider into Bytebase user fields, you need to fill the user information mapping form.
Bytebase will use the mapping to import the user profile fields when creating new accounts. The most important user field mapping is the identifier which is used to identify the Bytebase account associated with the OAuth 2.0 login.
- Email is the field name of primary email in 3rd-party user info;
- DisplayName is the field name of display name in 3rd-party user info (optional);
- Phone: is the field name of phone number in 3rd-party user info (optional).
Built-in OAuth Provider
OAuth 2.0 usually requires an authorization callback url in the configuration. Please make sure the --external-url is set correctly.
If you start Bytebase with --external-url https://bytebase.example.com
, then the authorization callback URL will be https://bytebase.example.com/oauth/callback
.
Bytebase provides templates for configuring built-in OAuth providers.
GitHub
-
Follow Creating an OAuth App in GitHub (opens in a new tab) to create an OAuth app in GitHub.
-
Open creating SSO dialog and select the GitHub template.
-
Update the Client ID and Client secret fields with the GitHub OAuth App you just created.
-
After filling in all the required fields, try to click Test connection.
-
If everything is OK, click the Create button.
GitLab
-
Follow Configure GitLab as an OAuth 2.0 authentication identity provider (opens in a new tab) to create an OAuth 2 application in GitLab.
-
Open creating SSO dialog and select the GitLab template.
-
Update the Client ID and Client secret fields with the GitLab OAuth 2 application you just created.
-
After filling in all the required fields, try to click Test connection.
-
If everything is OK, click the Create button.
-
Follow the Using OAuth 2.0 to Access Google APIs (opens in a new tab) to create OAuth 2.0 client credentials in Google API Console (opens in a new tab).
-
Open creating SSO dialog and select the Google template.
-
Update the Client ID and Client secret fields with the OAuth 2.0 client credential you just created.
-
After filling in all the required fields, try to click Test connection.
-
If everything is OK, click the Create button.