> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytebase.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth 2.0

OAuth is an open standard for token-based authentication and authorization which is used to provide Single Sign-On (SSO). Bytebase supports popular OAuth 2.0 providers (GitHub, Google, GitLab) and custom providers.

## Overview

<img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/create-sso-dialog.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=6b8d2369afe0e85f52b4ee5544848b5a" alt="create-sso-dialog" width="2692" height="1920" data-path="content/docs/administration/sso/create-sso-dialog.webp" />

In the creating SSO dialog, you need to fill following fields:

### Basic information

<img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/oauth2-basic-information.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=511d02589c226a800ebd22d6c709be12" alt="oauth2-basic-information" width="2684" height="916" data-path="content/docs/administration/sso/oauth2-basic-information.webp" />

* **Name**: the display name shown to your users (e.g. `Google` will be shown as `Sign in with Google`)
* **Identity Provider ID**: a human-readable unique string, only lower-case alphabets and hyphens are allowed (e.g. `google-fsgs`)
* **Domain**: the domain name to scope associated users (e.g. `google.com`, optional)

### Identity provider information

The information is the base concept of [OAuth 2.0](https://oauth.net/2) and comes from your provider.

<img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/oauth2-identity-provider-information.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=83e467944b1a0501a81ada85a17a635a" alt="oauth2-identity-provider-information" width="1992" height="1668" data-path="content/docs/administration/sso/oauth2-identity-provider-information.webp" />

* **Client ID** is a public identifier of the custom provider;
* **Client Secret** is the OAuth2 client secret from identity provider;
* **Auth URL** is the custom provider's OAuth2 login page address;
* **Scopes** is the scope parameter carried when accessing the OAuth2 URL, which is filled in according to the custom provider;
* **Token URL** is the API address for obtaining access token;
* **User information URL** is the API address for obtaining user information by access token;
* **Auth style** specifies how the endpoint wants the client ID & client secret sent.
  * **In params**: The `client_id` and `client_secret` will be sending in the POST body as application/x-www-form-urlencoded parameters.
  * **In header**: The `client_id` and `client_secret` will be sending in HTTP Basic Authorization. This is an optional style described in the OAuth2 RFC 6749 section 2.3.1.

### User information mapping

For different providers, the structures returned by their user information API are usually not the same. That's why you need to fill an information mapping form for mapping user information into Bytebase user fields.

Bytebase uses the mapping to import user profile fields when creating new accounts.

The most important information is `Bytebase user's email`. It identifies the Bytebase account associated with the OAuth 2.0 login.

<img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/oauth2-user-information-field-mapping.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=efd05dce7ee23186e4b01659b27a56fb" alt="oauth2-user-information-field-mapping" width="1536" height="824" data-path="content/docs/administration/sso/oauth2-user-information-field-mapping.webp" />

* **Email** is the field name of primary email in 3rd-party user info;
* **DisplayName** is the field name of display name in 3rd-party user info (optional);

- **Phone**: is the field name of phone number in 3rd-party user info (optional).

## Built-in OAuth Provider

<Note>
  OAuth 2.0 usually requires an authorization callback url in the configuration. Please make sure the [`--external-url`](/get-started/self-host/external-url) is set correctly.

  If you start Bytebase with `--external-url http://bytebase.example.com`, then the **authorization callback URL** will be `http://bytebase.example.com/oauth/callback`.
</Note>

Bytebase provides templates for configuring built-in OAuth providers.

### Google

1. Follow the [Using OAuth 2.0 to Access Google APIs](https://developers.google.com/identity/protocols/oauth2) to create OAuth 2.0 client credentials in [Google API Console](https://console.developers.google.com/).

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/google-oauth-app-config.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=06eeb90bea34d351c3431166427b4b5f" alt="google-oauth-app-config" width="2580" height="1686" data-path="content/docs/administration/sso/google-oauth-app-config.webp" />

2. Open creating SSO dialog and select the **Google** template.

3. Update the **Client ID** and **Client secret** fields with the OAuth 2.0 client credential you just created.

4. After filling in all the required fields, try to click **Test connection**.

5. If everything is OK, click the **Create** button.

### GitHub

1. Follow [Creating an OAuth App in GitHub](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app) to create an OAuth app in GitHub, where you replace `YOUR_EXTERNAL_URL` in the image below with the external URL you [configured](https://www.bytebase.com/docs/get-started/self-host/external-url) in Bytebase Workspace.

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/github-oauth-app-config.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=e9b2c82d38c394a55a50789a1c3559b5" alt="github-oauth-app-config" width="1046" height="1432" data-path="content/docs/administration/sso/github-oauth-app-config.webp" />

2. Open creating SSO dialog and select the **GitHub** template.

3. Update the **Client ID** and **Client secret** fields with the GitHub OAuth App you just created.

4. After filling in all the required fields, try to click **Test connection**.

5. If everything is OK, click the **Create** button.

6. Go to your GitHub [Public profile](https://github.com/settings/profile), make sure your **Public email** is set to the email you intend to use for SSO. Otherwise, the SSO will not work.

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/gh-public-profile.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=351c055772bbadfd9fd830ddd5e67c9e" alt="gh-public-profile" width="720" height="369" data-path="content/docs/administration/sso/gh-public-profile.webp" />

### GitLab

1. Follow [Configure GitLab as an OAuth 2.0 authentication identity provider](https://docs.gitlab.com/ee/integration/oauth_provider.html) to create an OAuth 2 application in GitLab.

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/gitlab-oauth-app-config.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=fcd6d7fc6f76c174f2e9a50e1cba6ac2" alt="gitlab-oauth-app-config" width="2044" height="1644" data-path="content/docs/administration/sso/gitlab-oauth-app-config.webp" />

2. Open creating SSO dialog and select the **GitLab** template.

3. Update the **Client ID** and **Client secret** fields with the GitLab OAuth 2 application you just created.

4. After filling in all the required fields, try to click **Test connection**.

5. If everything is OK, click the **Create** button.

### Microsoft Entra (Azure AD)

1. Follow the [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) to create an Application in [Microsoft Entra admin center](https://entra.microsoft.com/).

2. Note the **Application ID** for later use. Click the **Endpoints** tab and note both the **OAuth 2.0 authorization endpoint** and **OAuth 2.0 token endpoint**.

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/entra-endpoints.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=703a030c40874a25485961e62fac57c3" alt="entra-endpoints" width="1580" height="946" data-path="content/docs/administration/sso/entra-endpoints.webp" />

3. Create a client secret in the **Client credentials** tab and note the **Value** for later use.

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/entra-client-secret.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=b52494f96b98fb6320d9a8d585ab2ea9" alt="entra-client-secret" width="3158" height="1422" data-path="content/docs/administration/sso/entra-client-secret.webp" />

4. Click **IAM & Admin > SSO** in Bytebase workspace, then click **+ Create SSO**. Choose **OAuth 2.0** and select **Microsoft Entra** template.

5. Name it as you want, update the **Client ID**, **Client secret** and the **Endpoints** fields with the OAuth 2.0 client credential you just created.

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/bb-entra-sso-config.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=14ae05d28dc11cc5955b3d43e4dfbda8" alt="entra-sso-config" width="2622" height="1582" data-path="content/docs/administration/sso/bb-entra-sso-config.webp" />

6. We will need to copy the **Authorization Redirect URL** and add it back to the **Redirect URIs** in the Microsoft Entra application.

   <img src="https://mintcdn.com/dbx/VmH49kiwLiErec4u/content/docs/administration/sso/et-redirect-url.webp?fit=max&auto=format&n=VmH49kiwLiErec4u&q=85&s=8e763f8ef68ca4a36af3adb03b31cc5e" alt="et-redirect-url" width="2860" height="1400" data-path="content/docs/administration/sso/et-redirect-url.webp" />

7. After filling in all the required fields, try to click **Test connection**.

8. If everything is OK, click the **Create** button.
