OpenID Connect. Supports personal and Workspace accounts.
Social Login
Social login enables users to authenticate with their existing Google, Microsoft, GitHub, or other OAuth/OIDC provider accounts.
Supported Providers
Section titled “Supported Providers”Microsoft
Entra ID (formerly Azure AD). Multi-tenant, organization, and consumer accounts.
GitHub
OAuth 2.0. Includes GitHub Enterprise Server support.
Apple / Facebook / LinkedIn
Built-in templates are available for additional common providers.
Custom
Any OIDC or OAuth 2.0 compliant provider.
Why Use Social Login?
Section titled “Why Use Social Login?”Better User Experience
Section titled “Better User Experience”- One-click login with existing accounts
- No passwords to remember
- Reduced registration friction
Enhanced Security
Section titled “Enhanced Security”- Leverage enterprise-grade authentication infrastructure
- Delegate MFA/2FA to external IdPs
- Reduce password management burden
JIT Provisioning
Section titled “JIT Provisioning”- Automatic user creation on first login
- Email-based account linking
- Profile synchronization via attribute mapping
Authentication Flow
Section titled “Authentication Flow”sequenceDiagram
participant User
participant App as Your App
participant Authrim
participant ExtIdP as External IdP
User->>App: 1. Click "Login with GitHub"
App->>Authrim: 2. GET /auth/external/github/start
Authrim->>Authrim: 3. Generate state, nonce, PKCE
Authrim-->>User: 4. Redirect to External IdP
User->>ExtIdP: 5. Authentication screen
ExtIdP->>ExtIdP: 6. User authentication
ExtIdP-->>Authrim: 7. Callback (authorization code)
Authrim->>ExtIdP: 8. Token exchange
ExtIdP-->>Authrim: 9. Access token
Authrim->>ExtIdP: 10. Fetch user info
ExtIdP-->>Authrim: 11. User info
Authrim->>Authrim: 12. Identity stitching
Authrim-->>User: 13. Create session + redirect
User->>App: 14. Authentication complete
Provider Setup
Section titled “Provider Setup”-
Go to Google Cloud Console
-
Navigate to APIs & Services → Credentials → Create Credentials → OAuth client ID
-
Select Application type: Web application
-
Add Authorized redirect URI:
https://your-domain.com/auth/external/google/callback -
Copy the Client ID and Client Secret
-
Register the provider via Admin API:
Terminal window curl -X POST "https://your-domain.com/api/admin/external-providers" \-H "Authorization: Bearer ${ADMIN_MACHINE_ACCESS_TOKEN}" \-H "Content-Type: application/json" \-d '{"template": "google","name": "Google","slug": "google","client_id": "YOUR_GOOGLE_CLIENT_ID.apps.googleusercontent.com","client_secret": "YOUR_GOOGLE_CLIENT_SECRET"}'
-
Go to Azure Portal → Microsoft Entra ID → App registrations
-
Click New registration
-
Add Redirect URI:
https://your-domain.com/auth/external/microsoft/callback -
Go to Certificates & secrets → New client secret to create a secret
-
Copy the Application (client) ID and Client Secret
-
Register the provider via Admin API:
Terminal window curl -X POST "https://your-domain.com/api/admin/external-providers" \-H "Authorization: Bearer ${ADMIN_MACHINE_ACCESS_TOKEN}" \-H "Content-Type: application/json" \-d '{"template": "microsoft","name": "Microsoft","slug": "microsoft","client_id": "YOUR_MICROSOFT_CLIENT_ID","client_secret": "YOUR_MICROSOFT_CLIENT_SECRET","provider_quirks": {"tenantType": "common"}}'
tenantType options:
| Value | Description |
|---|---|
common | All Microsoft accounts (personal + organizational) |
organizations | Organizational accounts only (Azure AD) |
consumers | Personal accounts only (Outlook.com, etc.) |
{tenant-id} | Specific tenant only |
-
Click OAuth Apps → New OAuth App
-
Fill in the details:
- Application name: Your app name
- Homepage URL:
https://your-domain.com - Authorization callback URL:
https://your-domain.com/auth/external/github/callback
-
Click Register application
-
Copy the Client ID and Client Secret
-
Register the provider via Admin API:
Terminal window curl -X POST "https://your-domain.com/api/admin/external-providers" \-H "Authorization: Bearer ${ADMIN_MACHINE_ACCESS_TOKEN}" \-H "Content-Type: application/json" \-d '{"template": "github","name": "GitHub","slug": "github","client_id": "YOUR_GITHUB_CLIENT_ID","client_secret": "YOUR_GITHUB_CLIENT_SECRET"}'
Configure any OpenID Connect compliant provider:
curl -X POST "https://your-domain.com/api/admin/external-providers" \ -H "Authorization: Bearer ${ADMIN_MACHINE_ACCESS_TOKEN}" \ -H "Content-Type: application/json" \ -d '{ "name": "Custom IdP", "slug": "custom-idp", "provider_type": "oidc", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "issuer": "https://idp.example.com", "scopes": "openid email profile" }'Endpoints are automatically discovered via OIDC Discovery (/.well-known/openid-configuration).
Configuration Reference
Section titled “Configuration Reference”Common Fields
Section titled “Common Fields”| Field | Type | Required | Description |
|---|---|---|---|
name | string | ✅ | Display name |
slug | string | - | URL-friendly identifier |
client_id | string | ✅ | OAuth Client ID |
client_secret | string | ✅ | OAuth Client Secret |
enabled | boolean | - | Enable/disable (default: true) |
Identity Linking
Section titled “Identity Linking”| Field | Default | Description |
|---|---|---|
auto_link_email | true | Auto-link accounts by email |
jit_provisioning | true | JIT provisioning (auto user creation) |
require_email_verified | true | Require verified email |
Provider responses never return client_secret; they expose hasSecret instead.
User Flow Endpoints
Section titled “User Flow Endpoints”Start Authentication
Section titled “Start Authentication”GET /auth/external/:provider/start?redirect_uri=https://app.example.com/callback| Parameter | Required | Description |
|---|---|---|
redirect_uri | ✅ | Redirect destination after authentication |
tenant_id | - | Tenant ID (for multi-tenant setups) |
user_id | - | User ID to link (for account linking) |
Security
Section titled “Security”Authrim automatically applies these security measures:
- PKCE: S256 method for all external IdP authentication flows
- State: Cryptographically secure state parameter for CSRF protection
- Nonce: Prevents ID Token replay attacks for OIDC providers
- Client Secret Handling: Secret values are write-only through the Admin API; read responses expose
hasSecret - Email Verification: Only verified emails allowed by default
Troubleshooting
Section titled “Troubleshooting””Provider not found”
Section titled “”Provider not found””- Verify the provider is created
- Check that
slugoridis correct - Confirm
enabled: true
”State validation failed”
Section titled “”State validation failed””- Check if user took more than 60 seconds
- Ensure the flow completes in the same browser/session
- Verify cookies are not blocked
”Provider did not return email”
Section titled “”Provider did not return email””- Check OAuth App has the appropriate scope (
email) - For GitHub,
user:emailscope is required - Verify user has an email configured