-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add docs for third party OIDC providers #1769
feat: Add docs for third party OIDC providers #1769
Conversation
Hey, here’s your docs preview: https://clerk.com/docs/pr/1769 |
cbd1cc6
to
e837507
Compare
e837507
to
7640084
Compare
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. | ||
1. Select **Add connection** and select **For specific domains**. | ||
1. Under **Third party**, select **OIDC**. | ||
1. Add the **Name** of the connection. | ||
1. Add the **Key** of the provider. This is the provider's unique identifier (cannot be changed after creation). | ||
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application. | ||
1. Select **Add connection**. You will be redirected to the connection's configuration page. | ||
|
||
The next steps involve configuring both your Identity Provider (IdP) and Clerk. Keep both dashboards open as you'll need to reference them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. In the Clerk Dashboard, navigate to the [**SSO Connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. | |
1. Select **Add connection** and select **For specific domains**. | |
1. Under **Third party**, select **OIDC**. | |
1. Add the **Name** of the connection. | |
1. Add the **Key** of the provider. This is the provider's unique identifier (cannot be changed after creation). | |
1. Add the **Specific Domain** that you want to allow this connection for. This is the domain of the users you want to allow to sign in to your application. | |
1. Select **Add connection**. You will be redirected to the connection's configuration page. | |
The next steps involve configuring both your Identity Provider (IdP) and Clerk. Keep both dashboards open as you'll need to reference them. | |
1. In the Clerk Dashboard, navigate to the [**SSO connections**](https://dashboard.clerk.com/last-active?path=user-authentication/sso-connections) page. | |
1. Select **Add connection** and select **For specific domains**. | |
1. Under **Or connect a third party**, select **OIDC (OpenID Connect)**. | |
1. Enter the **Name** of the connection. | |
1. Enter the **Key** of the provider. This is the provider's unique identifier which cannot be changed after creation. | |
1. Enter the **Specific Domain**. This is the domain of the users you want to allow to sign in to your app. | |
1. Select **Add connection**. You'll be redirected to the connection's configuration page. Keep this page open. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Nikpolik where do users get the oauth_custom_
key? What's an example?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's up to them to set something so they can know from which connection each user was created!
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
@Nikpolik, the docs are looking good. I'd love to see an example connection setup. |
@victoriaxyz I dm'd you the credentials for a dummy microsoft provider I have setup if you want to test this! Ping me if you want to look at this together! |
docs/authentication/enterprise-connections/oidc/custom-provider.mdx
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you so much 😸💖
Thanks for pairing with me to test this, @Nikpolik! :) Please feel free to change or edit the updates I added:
We should also update the SSO connection custom provider doc to match the following update in this doc:
cc: @alexisintech |
### Configure your IdP | ||
|
||
1. If necessary, create a new app in your IdP. | ||
1. In the connection's configuration page in the Clerk Dashboard, copy the **Authorized redirect URI**. | ||
1. In the Clerk Dashboard, navigate to the connection's settings page. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
they should already be there according to the last step in the previous step. so the copy before was correct
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adjusted steps 1 and 2 to make this a bit more clear 8f754cb.
Also moved the discovery endpoint explanation to a Note so we can have all the required steps uninterrupted.
WDYT?
1. Add the minimum required scopes based on the IdP's documentation. Common OIDC scopes include `openid`, `email`, and `profile`. | ||
Most IdPs provide a **Discovery Endpoint** to retrieve metadata about an OIDC provider. If your IdP doesn't offer this endpoint or if you need greater control over the setup process, select **Use Manual Configuration** in the **Identity Provider Configuration** section to manually configure the connection. | ||
|
||
1. In the Clerk Dashboard, navigate to the connection's settings page. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You wouldn't get the client ID and client secret in the clerk dashboard. you would get those from your IdP and then paste them in the clerk dashboard. so i believe the copy before was correct
1. Select **Save**. | ||
|
||
### Configure attribute mapping (optional) | ||
|
||
If your provider returns claims in a non-standard format, use the **Attribute Mapping** section on the connection's configuration page to adjust the mapping of Clerk's user properties to match the IdP's claim attributes. Important Clerk user properties include `email`, `firstName`, and `lastName`. | ||
Attribute mapping allows you to map the IdP's claims with Clerk's user properties such as the `email_verified`. OIDC Enterprise connections require the [`email_verified` claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Attribute mapping allows you to map the IdP's claims with Clerk's user properties such as the `email_verified`. OIDC Enterprise connections require the [`email_verified` claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format. | |
Attribute mapping allows you to map the IdP's claims with Clerk's user properties. OIDC enterprise connections require the [`email_verified` claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims:~:text=Section%C2%A05.7.-,email_verified,-boolean) to verify email ownership. However, some IdPs, such as Microsoft Azure Active Directory, might not return this claim or use a non-standard format. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this section to be more similar to it's previous form 07e1f1a
It's not required for most users so I think keeping it brief is better to avoid confusion 🙂
1. In the Clerk Dashboard, navigate to the **Connection** tab of the connection's settings page. | ||
1. In the **Attribute Mapping** section, under the **Email address verified** field: | ||
|
||
- If the IdPs that provide the value, enter `email_verified`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- If the IdPs that provide the value, enter `email_verified`. | |
- If the IdP provides the value, enter `email_verified`. |
1. In the Clerk Dashboard, navigate to the **Connection** tab of the connection's settings page. | ||
1. In the **Attribute Mapping** section, under the **Email address verified** field: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. In the Clerk Dashboard, navigate to the **Connection** tab of the connection's settings page. | |
1. In the **Attribute Mapping** section, under the **Email address verified** field: | |
1. In the connection's settings page in the Clerk Dashboard, under **Attribute Mapping**, for the **Email address verified* field: |
1. In the **Attribute Mapping** section, under the **Email address verified** field: | ||
|
||
- If the IdPs that provide the value, enter `email_verified`. | ||
- For IdPs that do not provide the value, enter `xms_edov`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's use the same syntax as the sentence before, and use a contraction!
- For IdPs that do not provide the value, enter `xms_edov`. | |
- If the IdP doesn't provide the value, enter `xms_edov`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it's ok, I removed this part as it is to specific to Microsoft!
> [!CAUTION] | ||
> OIDC Enterprise connections require the `email_verified` claim to verify email ownership. If the IdP doesn't return this claim, you can set its default value of `true`. However, ensure you fully trust the IdP to prevent exploits like [nOAuth](https://www.descope.com/blog/post/noauth). | ||
> [!WARNING] | ||
> If the IdP doesn't return this claim, you can either leave the **Email address verified** field blank or set the **Default value** to `True`. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this step mentions that the user should set the default value to true whether the idp returns the claim or not. but then this callout says the user should only do it if the idp doesn't return the claim. which is the correct case so we can update accordingly?
> If the IdP doesn't return this claim, you can either leave the **Email address verified** field blank or set the **Default value** to `True`. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth). | |
> If the IdP doesn't return this claim, you can either leave the **Email address verified** field blank or set the **Default value** to **True**. This should only be done if you fully trust the IdP, as it can expose your app to [OAuth attacks](https://www.descope.com/blog/post/noauth). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, the way you've rewritten it makes a lot more sense!
8eb549a
to
7337b3e
Compare
7337b3e
to
07e1f1a
Compare
1f2e03e
to
6f2718e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks awesome!! 😸💖
Co-authored-by: victoria <[email protected]> Co-authored-by: Alexis Aguilar <[email protected]>
Important
🔎 Previews:
This PR:
Adds instructions on how to configure any OIDC compatible OAuth provider to be used with enterprise_sso and enterprise_connections.
Also updated the overview to have an OIDC section similar to SAML that mentions EASIE and custom OAuth providers as an alternative.
Checklist
Note
/authentication/social-connections/custom-provider
doc re: manual configuration section