Social sign-in

You'll learn how to register redirect URIs, create a social provider connection in SqlOS, and test the hosted login flow.

Prerequisites

SqlOS running with password login or another primary flow
Admin access to /sqlos/admin/auth/

Goal#

Users click provider buttons such as Continue with Google, Continue with Microsoft, or Continue with GitHub on the hosted AuthPage.

Google#

In Google Cloud Console, create an OAuth Web application client.
Open /sqlos/admin/auth/oidc in your running app.
Create a connection with provider Google, your client ID and secret.
Copy the callback URI SqlOS shows (includes your connection id) and add it to Google’s authorized redirect URIs.
Enable the connection in the dashboard.

See Google OIDC for curl-based setup and failure modes.

Microsoft#

Register an app in Microsoft Entra (App registrations).
Add a redirect URI matching SqlOS (same pattern as Google).
Create the connection in /sqlos/admin/auth/oidc with provider Microsoft.
Enable the connection.

See Microsoft OIDC.

GitHub#

Create a GitHub OAuth App in GitHub Developer settings.
Open /sqlos/admin/auth/oidc in your running app.
Create a connection with provider GitHub, your GitHub OAuth App client ID, and client secret.
Copy the provider callback URI SqlOS shows and set it as the GitHub OAuth App Authorization callback URL.
Enable the connection.

SqlOS requests read:user and user:email by default so it can load the GitHub profile and verified primary email address. See GitHub OIDC for dashboard, API, and code-first setup.

Seed from startup#

Instead of clicking through the dashboard, you can seed a connection from code so it exists on a fresh database. This is consistent with SeedAuthPage, SeedAuthEmails, and client seeding: the bootstrapper reconciles the connection on startup, matched by provider type (and display name for custom providers).

CSHARP

builder.AddSqlOS<AppDbContext>(options =>
{
    var auth = options.AuthServer;
 
    // "Continue with Microsoft". Keep secrets in configuration/user-secrets, never in source.
    auth.SeedMicrosoftConnection(
        clientId: builder.Configuration["SqlOS:Oidc:Microsoft:ClientId"]!,
        clientSecret: builder.Configuration["SqlOS:Oidc:Microsoft:ClientSecret"]!,
        tenant: "common",
        "https://your-app.example.com/sqlos/auth/oidc/callback");
 
    // "Continue with Google".
    auth.SeedGoogleConnection(
        clientId: builder.Configuration["SqlOS:Oidc:Google:ClientId"]!,
        clientSecret: builder.Configuration["SqlOS:Oidc:Google:ClientSecret"]!,
        "https://your-app.example.com/sqlos/auth/oidc/callback");
 
    // "Continue with GitHub". GitHub uses OAuth profile/email lookup through the same social provider surface.
    auth.SeedGitHubConnection(
        clientId: builder.Configuration["SqlOS:Oidc:GitHub:ClientId"]!,
        clientSecret: builder.Configuration["SqlOS:Oidc:GitHub:ClientSecret"]!,
        "https://your-app.example.com/sqlos/auth/oidc/callback");
});

For Apple or fully custom providers, use the general form:

CSHARP

auth.SeedOidcConnection(oidc =>
{
    oidc.ProviderType = SqlOSOidcProviderType.Custom;
    oidc.DisplayName = "Acme Identity";
    oidc.ClientId = builder.Configuration["SqlOS:Oidc:Acme:ClientId"]!;
    oidc.ClientSecret = builder.Configuration["SqlOS:Oidc:Acme:ClientSecret"];
    oidc.DiscoveryUrl = "https://id.acme.com/.well-known/openid-configuration";
    oidc.AllowedCallbackUris = ["https://your-app.example.com/sqlos/auth/oidc/callback"];
});

Seeding behavior

Seeds are reconciled on every startup. Client id, callbacks, scopes, and endpoints are kept in sync with your code.
A client secret is only overwritten when the seed supplies one, so configuration without a secret never clears a stored credential.
Enable/disable is owner-managed once the connection exists: a manual disable from the dashboard survives restarts.
Add the same SqlOS-owned callback URI to the provider (Entra, Google, GitHub, etc.). The dashboard shows the callback after the first boot.

Test#

Open your app’s login entry point (or /sqlos/auth/login).
Enter an email and choose the social provider.
Complete the IdP flow and confirm you land back in your app with a valid session.

Home realm discovery

If the email domain matches an org SAML connection, SqlOS routes to SSO instead of social login. See Home realm discovery.

Next steps#

Google#

In Google Cloud Console, create an OAuth Web application client.

Open /sqlos/admin/auth/oidc in your running app.

Create a connection with provider Google, your client ID and secret.

Copy the callback URI SqlOS shows (includes your connection id) and add it to Google’s authorized redirect URIs.

Enable the connection in the dashboard.

See Google OIDC for curl-based setup and failure modes.

GitHub#

Create a GitHub OAuth App in GitHub Developer settings.

Open /sqlos/admin/auth/oidc in your running app.

Create a connection with provider GitHub, your GitHub OAuth App client ID, and client secret.

Copy the provider callback URI SqlOS shows and set it as the GitHub OAuth App Authorization callback URL.

Enable the connection.

SqlOS requests read:user and user:email by default so it can load the GitHub profile and verified primary email address. See GitHub OIDC for dashboard, API, and code-first setup.

Seed from startup#

CSHARP

builder.AddSqlOS<AppDbContext>(options =>
{
    var auth = options.AuthServer;
 
    // "Continue with Microsoft". Keep secrets in configuration/user-secrets, never in source.
    auth.SeedMicrosoftConnection(
        clientId: builder.Configuration["SqlOS:Oidc:Microsoft:ClientId"]!,
        clientSecret: builder.Configuration["SqlOS:Oidc:Microsoft:ClientSecret"]!,
        tenant: "common",
        "https://your-app.example.com/sqlos/auth/oidc/callback");
 
    // "Continue with Google".
    auth.SeedGoogleConnection(
        clientId: builder.Configuration["SqlOS:Oidc:Google:ClientId"]!,
        clientSecret: builder.Configuration["SqlOS:Oidc:Google:ClientSecret"]!,
        "https://your-app.example.com/sqlos/auth/oidc/callback");
 
    // "Continue with GitHub". GitHub uses OAuth profile/email lookup through the same social provider surface.
    auth.SeedGitHubConnection(
        clientId: builder.Configuration["SqlOS:Oidc:GitHub:ClientId"]!,
        clientSecret: builder.Configuration["SqlOS:Oidc:GitHub:ClientSecret"]!,
        "https://your-app.example.com/sqlos/auth/oidc/callback");
});

For Apple or fully custom providers, use the general form:

CSHARP

auth.SeedOidcConnection(oidc =>
{
    oidc.ProviderType = SqlOSOidcProviderType.Custom;
    oidc.DisplayName = "Acme Identity";
    oidc.ClientId = builder.Configuration["SqlOS:Oidc:Acme:ClientId"]!;
    oidc.ClientSecret = builder.Configuration["SqlOS:Oidc:Acme:ClientSecret"];
    oidc.DiscoveryUrl = "https://id.acme.com/.well-known/openid-configuration";
    oidc.AllowedCallbackUris = ["https://your-app.example.com/sqlos/auth/oidc/callback"];
});

Seeding behavior

Seeds are reconciled on every startup. Client id, callbacks, scopes, and endpoints are kept in sync with your code.
A client secret is only overwritten when the seed supplies one, so configuration without a secret never clears a stored credential.
Enable/disable is owner-managed once the connection exists: a manual disable from the dashboard survives restarts.
Add the same SqlOS-owned callback URI to the provider (Entra, Google, GitHub, etc.). The dashboard shows the callback after the first boot.

Test#

Open your app’s login entry point (or /sqlos/auth/login).

Enter an email and choose the social provider.

Complete the IdP flow and confirm you land back in your app with a valid session.

Home realm discovery

If the email domain matches an org SAML connection, SqlOS routes to SSO instead of social login. See Home realm discovery.

Add social login

Goal#

Google#

Microsoft#

GitHub#

Seed from startup#

Test#

Next steps#

Add social login

Goal#

Google#

Microsoft#

GitHub#

Seed from startup#

Test#

Next steps#