OpenID Connect. Supports personal and Workspace accounts.
Social Login
Social login enables users to authenticate with their existing Google, Microsoft, GitHub, or other OAuth/OIDC provider accounts.
Supported Providers
Microsoft
Entra ID (formerly Azure AD). Multi-tenant, organization, and consumer accounts.
GitHub
OAuth 2.0. Includes GitHub Enterprise Server support.
Custom
Any OIDC or OAuth 2.0 compliant provider.
Why Use Social Login?
Better User Experience
- One-click login with existing accounts
- No passwords to remember
- Reduced registration friction
Enhanced Security
- Leverage enterprise-grade authentication infrastructure
- Delegate MFA/2FA to external IdPs
- Reduce password management burden
JIT Provisioning
- Automatic user creation on first login
- Email-based account linking
- Profile synchronization via attribute mapping
Authentication Flow
sequenceDiagram
participant User
participant App as Your App
participant Authrim
participant ExtIdP as External IdP
User->>App: 1. Click "Login with GitHub"
App->>Authrim: 2. GET /auth/external/github/start
Authrim->>Authrim: 3. Generate state, nonce, PKCE
Authrim-->>User: 4. Redirect to External IdP
User->>ExtIdP: 5. Authentication screen
ExtIdP->>ExtIdP: 6. User authentication
ExtIdP-->>Authrim: 7. Callback (authorization code)
Authrim->>ExtIdP: 8. Token exchange
ExtIdP-->>Authrim: 9. Access token
Authrim->>ExtIdP: 10. Fetch user info
ExtIdP-->>Authrim: 11. User info
Authrim->>Authrim: 12. Identity stitching
Authrim-->>User: 13. Create session + redirect
User->>App: 14. Authentication complete
Provider Setup
-
Go to Google Cloud Console
-
Navigate to APIs & Services → Credentials → Create Credentials → OAuth client ID
-
Select Application type: Web application
-
Add Authorized redirect URI:
https://your-domain.com/auth/external/google/callback -
Copy the Client ID and Client Secret
-
Register the provider via Admin API:
Terminal window curl -X POST "https://your-domain.com/external-idp/admin/providers" \-H "Authorization: Bearer ${ADMIN_API_SECRET}" \-H "Content-Type: application/json" \-d '{"template": "google","name": "Google","slug": "google","client_id": "YOUR_GOOGLE_CLIENT_ID.apps.googleusercontent.com","client_secret": "YOUR_GOOGLE_CLIENT_SECRET"}'
-
Go to Azure Portal → Microsoft Entra ID → App registrations
-
Click New registration
-
Add Redirect URI:
https://your-domain.com/auth/external/microsoft/callback -
Go to Certificates & secrets → New client secret to create a secret
-
Copy the Application (client) ID and Client Secret
-
Register the provider via Admin API:
Terminal window curl -X POST "https://your-domain.com/external-idp/admin/providers" \-H "Authorization: Bearer ${ADMIN_API_SECRET}" \-H "Content-Type: application/json" \-d '{"template": "microsoft","name": "Microsoft","slug": "microsoft","client_id": "YOUR_MICROSOFT_CLIENT_ID","client_secret": "YOUR_MICROSOFT_CLIENT_SECRET","provider_quirks": {"tenantType": "common"}}'
tenantType options:
| Value | Description |
|---|---|
common | All Microsoft accounts (personal + organizational) |
organizations | Organizational accounts only (Azure AD) |
consumers | Personal accounts only (Outlook.com, etc.) |
{tenant-id} | Specific tenant only |
-
Click OAuth Apps → New OAuth App
-
Fill in the details:
- Application name: Your app name
- Homepage URL:
https://your-domain.com - Authorization callback URL:
https://your-domain.com/auth/external/github/callback
-
Click Register application
-
Copy the Client ID and Client Secret
-
Register the provider via Admin API:
Terminal window curl -X POST "https://your-domain.com/external-idp/admin/providers" \-H "Authorization: Bearer ${ADMIN_API_SECRET}" \-H "Content-Type: application/json" \-d '{"template": "github","name": "GitHub","slug": "github","client_id": "YOUR_GITHUB_CLIENT_ID","client_secret": "YOUR_GITHUB_CLIENT_SECRET"}'
Configure any OpenID Connect compliant provider:
curl -X POST "https://your-domain.com/external-idp/admin/providers" \ -H "Authorization: Bearer ${ADMIN_API_SECRET}" \ -H "Content-Type: application/json" \ -d '{ "name": "Custom IdP", "slug": "custom-idp", "provider_type": "oidc", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "issuer": "https://idp.example.com", "scopes": "openid email profile" }'Endpoints are automatically discovered via OIDC Discovery (/.well-known/openid-configuration).
Configuration Reference
Common Fields
| Field | Type | Required | Description |
|---|---|---|---|
name | string | ✅ | Display name |
slug | string | - | URL-friendly identifier |
client_id | string | ✅ | OAuth Client ID |
client_secret | string | ✅ | OAuth Client Secret |
enabled | boolean | - | Enable/disable (default: true) |
Identity Linking
| Field | Default | Description |
|---|---|---|
auto_link_email | true | Auto-link accounts by email |
jit_provisioning | true | JIT provisioning (auto user creation) |
require_email_verified | true | Require verified email |
User Flow Endpoints
Start Authentication
GET /auth/external/:provider/start?redirect_uri=https://app.example.com/callback| Parameter | Required | Description |
|---|---|---|
redirect_uri | ✅ | Redirect destination after authentication |
tenant_id | - | Tenant ID (for multi-tenant setups) |
user_id | - | User ID to link (for account linking) |
Security
Authrim automatically applies these security measures:
- PKCE: S256 method for all external IdP authentication flows
- State: Cryptographically secure state parameter for CSRF protection
- Nonce: Prevents ID Token replay attacks for OIDC providers
- Client Secret Encryption: Stored encrypted with AES-256-GCM
- Email Verification: Only verified emails allowed by default
Troubleshooting
”Provider not found”
- Verify the provider is created
- Check that
slugoridis correct - Confirm
enabled: true
”State validation failed”
- Check if user took more than 60 seconds
- Ensure the flow completes in the same browser/session
- Verify cookies are not blocked
”Provider did not return email”
- Check OAuth App has the appropriate scope (
email) - For GitHub,
user:emailscope is required - Verify user has an email configured