External login¶
SeaCat Auth supports login via third party authentication providers. This allows users to use their Google or Github account to log into SeaCat Auth.
SeaCat Auth currently supports these login providers:
- Office 365
- Github
- MojeID
- AppleID
Usage¶
Once configured, external login options are available on the login screen as an alternative to the standard SeaCat Auth login.
Any user can enable or disable their external login options on their My account screen.
Setting up external login providers¶
Setting up external login requires registering and configuring your SeaCat Auth site at the respective provider and configuring the SeaCat Auth service itself.
Register your SeaCat Auth application¶
Once you select which login provider you want to set up, proceed to their website to register your SeaCat Auth application. You will receive Client ID and Client secret which you will use in SeaCat Auth configuration.
Provide redirect URIs¶
Most OAuth2 providers will require you to specify a list of exact authorized redirect URIs. If that is the case, you need to provide two URIs in the following format:
<SEACAT_PUBLIC_API_BASE_URL>/public/ext-login/<LOGIN_PROVIDER_ID>
<SEACAT_PUBLIC_API_BASE_URL>/public/ext-login-add/<LOGIN_PROVIDER_ID>
For example, if your public SeaCat Auth API is running at https://auth.example.xyz/auth/api/seacat_auth/
and you want to configure login with google
, add these addresses to the list of authorized redirect URIs
in Google API Credentials.
https://auth.example.xyz/auth/api/seacat_auth/public/ext-login/google
https://auth.example.xyz/auth/api/seacat_auth/public/ext-login-add/google
Other providers (e.g. Github) do not require a list of exact URIs but rather a single path that all of your redirect URIs will start with. In such cases just provide the base URL of your SeaCat Auth public API, for example
https://auth.example.xyz/auth/api/seacat_auth/public/
Configure SeaCat Auth¶
Finally, you can add a section defining your external login provider in the SeaCat Auth config file. You will need at least the Client ID and the Client secret that you received at your login provider.
The config section name is always in the format [seacatauth:<LOGIN_PROVIDER_ID>]
.
See below for config examples of the individual login providers.
Supported providers¶
SeaCat Auth currently supports the following external login providers:
- Office 365
- Github
- Moje ID
Google¶
Provider ID: google
Register your SeaCat Auth app in Google API Credentials.
[seacatauth:google]
client_id=a2c4e6...
client_secret=1b3d5f...
Office 365¶
Provider ID: office365
Register your SeaCat Auth app in Azure Active Directory.
In addition to client ID and client secret, Office 365 login also requires you to fill in your tenant ID.
[seacatauth:office365]
tenant_id=def123...
client_id=a2c4e6...
client_secret=1b3d5f...
Github¶
Provider ID: github
Register your SeaCat Auth app in your Github developer settings.
[seacatauth:github]
client_id=a2c4e6...
client_secret=1b3d5f...
MojeID¶
Provider ID: mojeid
Sign up for a MojeID provider account. Follow their documentation to obtain client ID and secret.
[seacatauth:mojeid]
client_id=a2c4e6...
client_secret=1b3d5f...
AppleID¶
Provider ID: appleid
Register your app in Apple Developer program Service ID settings to obtain client ID. Apple returns e-mail and username in the response right after OAuth2 /authorize call, so we do not need client_secret, because we do not need to hit the /token endpoint at all.
Sign in with Apple documentation
[seacatauth:appleid]
client_id=a2c4e6...
Registering unknown users via webhook¶
When an unknown user logs in via external identity provider, it is possible to trigger a webhook to an external
service. This service can register the user and send back their credential ID. If the response contains a valid
credential_id
, the login proceeds as successful.
To enable the webhook, specify the webhook URL in the configuration file:
[seacatauth:external_login]
registration_webhook_uri=http://localhost:8089/external-registration
The webhook is a POST request with JSON payload containing the following properties:
provider_type
- the type of the identity provider (e.g. google or appleid),authorization_response
- response query parameters without the authorization code,user_info
- OpenID UserInfo-like claims about the logged-in user (mandatorysub
, optionalemail
,preferred_username
etc.). The actual claims differ from provider to provider and also depend on your client's scope and configuration.
A successful webhook response must contain a valid credential_id of the created credentials. Otherwise, the response is considered error and the login results in failure.
Example¶
Request:
POST /webhook_url
{
"provider_type": "google",
"authorization_response": {
"scope": "email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
"authuser": "0",
"prompt": "consent"
},
"user_info": {
"iss": "accounts.google.com",
"sub": "01234567890123456789",
"email": "abcdefgh@gmail.com",
"email_verified": true
}
}
Response:
{
"credential_id": "mongodb:custom:abcd123456789"
}