Using OAuth2.0 for Authentication
Note
{BASE_URL}/passport/oauth2/callback.| Environment Variable Name | Meaning | Default Value | Others |
|---|---|---|---|
| OAUTH2_ENABLE | Whether to enable OAuth2.0 login service | Set to true to enable, or leave blank or unset to disable | |
| OAUTH2_AUTH_URL | OAuth2.0 application login authorization link | Required when enabling OAuth2.0 service | |
| OAUTH2_ACCESS_TOKEN_URL | OAuth2.0 application link to exchange AccessToken | Required when enabling OAuth2.0 service | |
| OAUTH2_USER_INFO_URL | URL to exchange personal information based on access token | Required when enabling OAuth2.0 service | |
| OAUTH2_CLIENT_ID | OAuth2.0 application ID | Required when enabling OAuth2.0 service | |
| OAUTH2_CLIENT_SECRET | OAuth2.0 application access Secret | Required when enabling OAuth2.0 service | |
| OAUTH2_SCOPE | Scope | email,profile,openid | Configuration is typically required as described in the provider's documentation. The default value is compatible with Azure AD and Okta. |
| OAUTH2_USER_ID_ATTR | Default is 'id', used as the unique id for OAuth2.0 user attributes | id | Optional |
| OAUTH2_USER_EMAIL_ATTR | Email field | Optional | |
| OAUTH2_USER_NAME_ATTR | Name field | name | Optional |
| OAUTH2_USER_AVATAR_ATTR | Avatar field | avatar | Optional |
| OAUTH2_LOGIN_TITLE | Control the button text which was showed on client Login page | Continue with OAuth 2.0 | Optional |
Configuration Example
For Microsoft Entra ID (formerly Azure Active Directory) OIDC
- name: OAUTH2_ENABLE
value: 'true'
- name: OAUTH2_AUTH_URL
value: >-
https://login.microsoftonline.com/example-....-example/oauth2/v2.0/authorize
- name: OAUTH2_ACCESS_TOKEN_URL
value: >-
https://login.microsoftonline.com/example-....-example/oauth2/v2.0/token
- name: OAUTH2_CLIENT_ID
value: <client-id>
- name: OAUTH2_CLIENT_SECRET
value: <client-secret>
- name: OAUTH2_LOGIN_TITLE
value: Continue with Azure AD
- name: OAUTH2_USER_INFO_URL
value: https://graph.microsoft.com/oidc/userinfo
- name: OAUTH2_SCOPE
value: 'sub,email,profile,openid'
- name: OAUTH2_USER_ID_ATTR
value: subDifferent version of OIDC may require a different scope, for example:
- name: OAUTH2_ENABLE
value: 'true'
- name: OAUTH2_AUTH_URL
value: >-
https://login.microsoftonline.com/example-....-example/oauth2/v2.0/authorize
- name: OAUTH2_ACCESS_TOKEN_URL
value: >-
https://login.microsoftonline.com/example-....-example/oauth2/v2.0/token
- name: OAUTH2_CLIENT_ID
value: <client-id>
- name: OAUTH2_CLIENT_SECRET
value: <client-secret>
- name: OAUTH2_LOGIN_TITLE
value: Continue with Azure AD
- name: OAUTH2_USER_INFO_URL
value: https://graph.microsoft.com/v1.0/me
- name: OAUTH2_SCOPE
value: 'email,profile,openid,user.read'
- name: OAUTH2_USER_ID_ATTR
value: idFor other
- name: OAUTH2_ENABLE
value: 'true'
- name: OAUTH2_AUTH_URL
value: https://example.com/oauth/auth
- name: OAUTH2_ACCESS_TOKEN_URL
value: https://example.com/oauth/token
- name: OAUTH2_CLIENT_ID
value: <client-id>
- name: OAUTH2_CLIENT_SECRET
value: <client-secret>
- name: OAUTH2_LOGIN_TITLE
value: Continue with Azure AD
- name: OAUTH2_USER_INFO_URL
value: https://example.com/oauth/me
- name: OAUTH2_SCOPE
value: 'email,profile,openid'
- name: OAUTH2_USER_ID_ATTR
value: idModified at 2025-12-08 05:03:55