OAuth
Sign in with third-party providers. EdgeBase supports 14 OAuth providers out of the box.
Before using any OAuth provider, you must register an OAuth application in the provider's developer console and configure the credentials. See the individual provider guides below.
When captcha is enabled, OAuth initiation (GET /auth/oauth/:provider) is automatically protected by Cloudflare Turnstile. Client SDKs attach the captcha token as a query parameter — no code changes needed.
Configuration
1. Enable Providers
Add the providers you want to use in your config:
// edgebase.config.ts
export default defineConfig({
auth: {
allowedOAuthProviders: ['google', 'github', 'apple', 'discord'],
},
});
2. Set Credentials
Provider credentials live in edgebase.config.ts under auth.oauth.
// edgebase.config.ts
export default defineConfig({
auth: {
oauth: {
google: {
clientId: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
},
github: {
clientId: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
},
},
},
});
If you do not want literals in source, import the values from your own local secret-loading module when building the config.
3. Register Redirect URI
In each provider's developer console, register this redirect URI:
https://your-edgebase-url/api/auth/oauth/{provider}/callback
Replace {provider} with the provider name (e.g., google, github). For local development:
http://localhost:8787/api/auth/oauth/google/callback
The URI you register in the provider console is the EdgeBase server callback such as http://localhost:8787/api/auth/oauth/google/callback.
That is different from your browser or mobile app callback such as http://localhost:4173/auth/callback or myapp://auth/callback, which is passed from the SDK as redirectUrl or redirectTo.
Common Setup Pitfalls
- Some provider consoles allow
http://localhost/...for local callbacks, while others require an HTTPS callback even in development. Slack currently needs an HTTPS tunnel. - Providers often show multiple credential types. EdgeBase needs the OAuth client credentials for the provider flow, not unrelated API keys, bearer tokens, user tokens, or installation tokens.
- Some providers do not return a verified email, or do not return email at all. That affects automatic account linking and also explains why local validation harnesses may show
skippedchecks for password, email, or TOTP paths. - In the JavaScript web SDK,
redirectUrlis the canonical option name.redirectTois accepted as an alias.
Supported Providers
| Provider | Email Verified | PKCE | Setup Guide | |
|---|---|---|---|---|
| Yes | Yes | Supported | Guide | |
| GitHub | Yes | Yes (primary only) | No | Guide |
| Apple | Yes | Always | No | Guide |
| Discord | Yes | Yes | No | Guide |
| Microsoft | Yes | Yes | Supported | Guide |
| Yes | No | No | Guide | |
| Kakao | Yes | Conditional | No | Guide |
| Naver | Yes | No | No | Guide |
| X (Twitter) | No | No | Required | Guide |
| No | No | No | Guide | |
| Line | Conditional | No | No | Guide |
| Slack | Yes | Always | No | Guide |
| Spotify | Yes | No | No | Guide |
| Twitch | Yes | Yes | No | Guide |
Provider Setup Guides
📄️ Google
Sign in with Google accounts using OAuth 2.0 with OpenID Connect.
📄️ GitHub
Sign in with GitHub accounts using OAuth 2.0.
📄️ Apple
Sign in with Apple using OAuth 2.0 with OpenID Connect.
📄️ Discord
Sign in with Discord accounts using OAuth 2.0.
📄️ Microsoft
Sign in with Microsoft accounts (personal, work, or school) using Azure AD OAuth 2.0 with OpenID Connect.
📄️ Facebook
Sign in with Facebook (Meta) accounts using OAuth 2.0.
📄️ Kakao
Sign in with Kakao accounts using OAuth 2.0. Popular in South Korea.
📄️ Naver
Sign in with Naver accounts using OAuth 2.0. Popular in South Korea.
📄️ X (Twitter)
Sign in with X (formerly Twitter) accounts using OAuth 2.0 with PKCE.
📄️ Line
Sign in with LINE accounts using OAuth 2.0 with OpenID Connect. Popular in Japan, Taiwan, and Thailand.
📄️ Slack
Sign in with Slack accounts using OpenID Connect.
📄️ Spotify
Sign in with Spotify accounts using OAuth 2.0.
📄️ Twitch
Sign in with Twitch accounts using OAuth 2.0.
Usage
- JavaScript
- Dart/Flutter
- Swift
- Kotlin
- Java
- C#
- C++
// Browser: opens OAuth popup/redirect
client.auth.signInWithOAuth('google');
// With redirect URL
client.auth.signInWithOAuth('github', {
redirectUrl: 'https://my-app.com/auth/callback',
});
await client.auth.signInWithOAuth('google');
let url = client.auth.signInWithOAuth(provider: "google")
// Open url in SFSafariViewController or ASWebAuthenticationSession
client.auth().signInWithOAuth("google");
client.auth().signInWithOAuth("google");
client.Auth.SignInWithOAuth("google");
OAuth requires a browser redirect flow. For C++ (Unreal Engine), handle OAuth in a platform webview and pass the token to the SDK.
Custom OIDC Providers
Beyond the 13 built-in providers, EdgeBase supports any OpenID Connect-compliant identity provider (Okta, Auth0, Azure AD, Keycloak, etc.) via OIDC Federation.
Custom OIDC providers use the oidc: prefix (e.g., oidc:my-provider) and automatically discover endpoints via .well-known/openid-configuration. PKCE is enabled by default for enhanced security.
// edgebase.config.ts
export default defineConfig({
auth: {
allowedOAuthProviders: [
'google', // Built-in provider
'oidc:okta', // Custom OIDC provider
'oidc:azure-ad', // Another custom OIDC provider
],
},
});
Credentials are configured in edgebase.config.ts:
export default defineConfig({
auth: {
oauth: {
oidc: {
okta: {
clientId: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
issuer: 'https://your-org.okta.com',
},
},
},
},
});
| Field | Required | Description |
|---|---|---|
clientId | Yes | OAuth client ID |
clientSecret | Yes | OAuth client secret |
issuer | Yes | OIDC issuer URL (must serve /.well-known/openid-configuration) |
scopes | No | Custom scopes array (default: ['openid', 'email', 'profile']) |
SDK usage is identical to built-in providers -- use the oidc:{name} format for the provider parameter:
client.auth.signInWithOAuth('oidc:okta');
See OIDC Federation for full setup guides with Okta, Auth0, Azure AD, and Keycloak.
Account Linking
If a user signs up with email and later uses OAuth with the same verified email, the accounts are automatically linked. This only happens when the OAuth provider confirms the email is verified.
Signed-in users can also explicitly attach additional OAuth providers to the same account with client.auth.linkWithOAuth(...).
See Account Linking for details.
Field Notes from Local Validation
The built-in js-web browser harness was used to validate provider flows on March 8, 2026. A result such as passed + skipped can still be healthy:
passedmeans the provider login, callback, session creation, and applicable post-login checks completed.skippedusually means the signed-in provider account did not expose an email-backed or password-capable path, so checks like password bootstrap, email round-trip, or TOTP were intentionally not attempted.- This is common for providers like X, Kakao, Naver, and some Microsoft account shapes.
REST API
| Endpoint | Description |
|---|---|
GET /auth/oauth/:provider | Start OAuth flow (redirects to provider) |
GET /auth/oauth/:provider/callback | Handle OAuth callback |
POST /auth/oauth/link/:provider | Link the current account to an OAuth provider (anonymous upgrade or signed-in attach) |
GET /auth/oauth/link/:provider/callback | OAuth link callback |