Storyden

OAuth2 Providers

Configure third-party authentication for your Storyden community

Storyden supports OAuth2 authentication with popular identity providers, allowing members to sign in using their existing accounts. OAuth providers require JWT_SECRET to be configured for state validation during the authentication flow.

Prerequisites

Before enabling any OAuth provider, you must configure a JWT secret:

JWT_SECRET=your-random-secret-here

Generate a secure random secret using:

openssl rand -hex 32

The JWT secret is used to sign and verify the OAuth state tokens that protect against CSRF attacks during the authentication flow.

Available Providers

Each provider has a unique identifier and callback URL that you'll need when configuring the OAuth application with the provider.

ProviderIdentifierCallback URLSetup Guide
Googleoauth_googlehttps://your-domain.com/auth/oauth_google/callbackGoogle Setup
GitHuboauth_githubhttps://your-domain.com/auth/oauth_github/callbackGitHub Setup
Discordoauth_discordhttps://your-domain.com/auth/oauth_discord/callbackDiscord Setup
Keycloakoauth_keycloakhttps://your-domain.com/auth/oauth_keycloak/callbackKeycloak Setup

Replace your-domain.com with your actual domain. Make sure PUBLIC_WEB_ADDRESS is set correctly as it determines the base URL for callbacks.

User Profile Mapping

When a user signs in via OAuth for the first time, Storyden creates a new account with information from the OAuth provider:

  • Username/Handle: Derived from the provider's username or email
  • Display Name: Full name from the provider profile
  • Email: Used to link the account and prevent duplicates/hijacking
  • OAuth Token: Stored for the authentication method

Subsequent sign-ins with the same provider will match to the existing account by the OAuth provider's unique user ID.

Security Considerations

  • OAuth tokens are stored unencrypted in the database
  • The JWT_SECRET must be kept secure
  • Each OAuth provider requires separate client credentials
  • Callback URLs must match exactly what's configured with the provider
  • State tokens expire after 10 minutes for security
Edit on GitHub

Re-indexing

Re-build Storyden's search index manually.

Google OAuth

Configure Google Sign-In for your Storyden community

On this page

PrerequisitesAvailable ProvidersUser Profile MappingSecurity Considerations