OAuth & LDAP
Sairo supports external authentication via Google OAuth, GitHub OAuth, and LDAP. Users authenticated through external providers are auto-provisioned on first login.
Google OAuth
Section titled “Google OAuth”Google OAuth uses the OpenID Connect authorization code flow.
- Go to the Google Cloud Console
- Create an OAuth 2.0 Client ID (Web application type)
- Add the authorized redirect URI:
https://your-domain/api/auth/oauth/google/callback - Copy the Client ID and Client Secret
Configuration
Section titled “Configuration”environment: OAUTH_GOOGLE_CLIENT_ID: "your-client-id.apps.googleusercontent.com" OAUTH_GOOGLE_CLIENT_SECRET: "your-client-secret" OAUTH_ALLOWED_DOMAINS: "yourcompany.com,subsidiary.com"OAUTH_ALLOWED_DOMAINS restricts which email domains can authenticate. Comma-separated, no spaces. If not set, any Google account can log in.
- User clicks Sign in with Google on the login page
- User authenticates with Google and grants consent
- Google redirects to
/api/auth/oauth/google/callbackwith an authorization code - Sairo exchanges the code for an ID token, extracts the email and name
- If the user does not exist, a new account is created with the configured default role
- A JWT session cookie is issued
GitHub OAuth
Section titled “GitHub OAuth”- Go to GitHub Developer Settings
- Create a new OAuth App
- Set the Authorization callback URL to:
https://your-domain/api/auth/oauth/github/callback - Copy the Client ID and Client Secret
Configuration
Section titled “Configuration”environment: OAUTH_GITHUB_CLIENT_ID: "your-client-id" OAUTH_GITHUB_CLIENT_SECRET: "your-client-secret"- User clicks Sign in with GitHub on the login page
- User authenticates with GitHub
- GitHub redirects to
/api/auth/oauth/github/callbackwith an authorization code - Sairo exchanges the code for an access token, fetches the user’s profile
- If the user does not exist, a new account is created with the configured default role
- A JWT session cookie is issued
LDAP authentication binds against your directory server to verify credentials.
Configuration
Section titled “Configuration”environment: LDAP_ENABLED: "true" LDAP_SERVER: "ldap://ldap.yourcompany.com:389" LDAP_BASE_DN: "ou=people,dc=yourcompany,dc=com" LDAP_USER_FILTER: "(sAMAccountName={username})" # default; use "(uid={username})" for OpenLDAP LDAP_BIND_DN: "cn=readonly,dc=yourcompany,dc=com" LDAP_BIND_PASSWORD: "bind-password" LDAP_ADMIN_GROUP: "cn=sairo-admins,ou=groups,dc=yourcompany,dc=com"| Variable | Description |
|---|---|
LDAP_ENABLED | Set to true to enable LDAP login |
LDAP_SERVER | LDAP server URI (supports ldap:// and ldaps://) |
LDAP_BASE_DN | Base DN for user searches |
LDAP_USER_FILTER | Search filter; {username} is replaced with the login username |
LDAP_BIND_DN | DN of the service account used to search for users |
LDAP_BIND_PASSWORD | Password for the bind DN |
LDAP_ADMIN_GROUP | LDAP group DN whose members are assigned the admin role |
- User enters their LDAP username and password on the login page
- Sairo binds with the service account to search for the user DN
- Sairo attempts to bind with the found user DN and the provided password
- If the bind succeeds and the user is a member of
LDAP_ADMIN_GROUP, they get the admin role; otherwise they get the default role - If the user does not exist in Sairo, a new account is created
- A JWT session cookie is issued
Default Role for New Users
Section titled “Default Role for New Users”OAuth and LDAP have separate default role variables:
environment: OAUTH_DEFAULT_ROLE: "viewer" # for Google/GitHub OAuth users LDAP_DEFAULT_ROLE: "viewer" # for LDAP usersBoth default to viewer. New users get no bucket permissions until an admin assigns them.
2FA After External Auth
Section titled “2FA After External Auth”Two-factor authentication still applies after external authentication. If a user who authenticated via Google, GitHub, or LDAP has 2FA enabled on their Sairo account, they are prompted for a TOTP code after the external auth completes.