OAuth
Configuration
Configure OAuth settings in structr.conf or through the Configuration Interface.
Enabling Providers
Control which OAuth providers are available using the oauth.servers setting:
| Setting | Description |
|---|---|
oauth.servers |
Space-separated list of enabled OAuth providers (e.g., google github azure). Defaults to all available providers: auth0 azure facebook github google linkedin keycloak |
Provider Settings
Each provider requires a client ID and client secret. Most providers also support simplified tenant-based configuration where endpoints are constructed automatically.
Recommended Approach: Tenant-Based Configuration
For providers that support it, use the tenant/server settings and Structr will automatically construct the authorization, token, and userinfo endpoints:
Auth0
oauth.auth0.tenant = your-tenant.auth0.com
oauth.auth0.client_id = <your-client-id>
oauth.auth0.client_secret = <your-client-secret>
Microsoft Entra ID (Azure AD)
oauth.azure.tenant_id = <your-tenant-id>
oauth.azure.client_id = <your-client-id>
oauth.azure.client_secret = <your-client-secret>
Keycloak
oauth.keycloak.server_url = https://keycloak.example.com
oauth.keycloak.realm = master
oauth.keycloak.client_id = <your-client-id>
oauth.keycloak.client_secret = <your-client-secret>
Other Providers (Google, GitHub, Facebook, LinkedIn)
These providers use default endpoints and only require credentials:
oauth.google.client_id = <your-client-id>
oauth.google.client_secret = <your-client-secret>
Complete Provider Settings Reference
The following table shows all available settings. Replace <provider> with the provider name (auth0, azure, google, facebook, github, linkedin, keycloak).
General Settings (All Providers)
| Setting | Required | Description |
|---|---|---|
oauth.<provider>.client_id |
Yes | Client ID from the OAuth provider |
oauth.<provider>.client_secret |
Yes | Client secret from the OAuth provider |
oauth.<provider>.redirect_uri |
No | Callback URL that the provider calls after successful authentication. Defaults to /oauth/<provider>/auth |
oauth.<provider>.error_uri |
No | Page to redirect to when authentication fails. Defaults to /error |
oauth.<provider>.return_uri |
No | Page to redirect to after successful login. Defaults to / |
oauth.<provider>.logout_uri |
No | Logout URI. Defaults to /logout |
oauth.<provider>.scope |
No | OAuth scope. Defaults vary by provider |
Tenant/Server-Based Configuration (Recommended)
Auth0
| Setting | Required | Description |
|---|---|---|
oauth.auth0.tenant |
Recommended | Auth0 tenant domain (e.g., your-tenant.auth0.com). When set, endpoints are built automatically |
oauth.auth0.authorization_path |
No | Path to authorization endpoint. Defaults to /authorize |
oauth.auth0.token_path |
No | Path to token endpoint. Defaults to /oauth/token |
oauth.auth0.userinfo_path |
No | Path to userinfo endpoint. Defaults to /userinfo |
oauth.auth0.audience |
No | The API audience (identifier) of your Auth0 API. Required for API access tokens |
Azure AD
| Setting | Required | Description |
|---|---|---|
oauth.azure.tenant_id |
Yes | Azure AD tenant ID, or common for multi-tenant apps, or organizations for work accounts only. Defaults to common |
Keycloak
| Setting | Required | Description |
|---|---|---|
oauth.keycloak.server_url |
Yes | Keycloak server URL (e.g., https://keycloak.example.com) |
oauth.keycloak.realm |
Yes | Keycloak realm name. Defaults to master |
Manual Endpoint Configuration (Advanced)
If you don’t use tenant-based configuration or need to override endpoints:
| Setting | Description |
|---|---|
oauth.<provider>.authorization_location |
Full URL of the authorization endpoint |
oauth.<provider>.token_location |
Full URL of the token endpoint |
oauth.<provider>.user_details_resource_uri |
Full URL where Structr retrieves user details |
Required Global Setting
Enable automatic user creation so Structr can create user nodes for new OAuth users:
| Setting | Value |
|---|---|
jsonrestservlet.user.autocreate |
true |
Provider-Specific Examples
Microsoft Entra ID (Azure AD)
oauth.servers = azure
oauth.azure.tenant_id = <your-tenant-id>
oauth.azure.client_id = <your-client-id>
oauth.azure.client_secret = <your-client-secret>
oauth.azure.return_uri = /
jsonrestservlet.user.autocreate = true
oauth.servers = google
oauth.google.client_id = <your-client-id>
oauth.google.client_secret = <your-client-secret>
jsonrestservlet.user.autocreate = true
GitHub
oauth.servers = github
oauth.github.client_id = <your-client-id>
oauth.github.client_secret = <your-client-secret>
jsonrestservlet.user.autocreate = true
Keycloak
oauth.servers = keycloak
oauth.keycloak.server_url = https://keycloak.example.com
oauth.keycloak.realm = production
oauth.keycloak.client_id = <your-client-id>
oauth.keycloak.client_secret = <your-client-secret>
jsonrestservlet.user.autocreate = true