@@ -2,6 +2,7 @@ export const sections = [
22 { title: ' Overview' , id: ' overview' },
33 { title: ' JWT Authentication' , id: ' jwt-authentication' },
44 { title: ' Passwordless Authentication' , id: ' passwordless-authentication' },
5+ { title: ' OAuth / Social Login' , id: ' oauth-social-login' },
56 { title: ' User Management' , id: ' user-management' },
67 { title: ' User Profiles' , id: ' user-profiles' },
78 { title: ' RBAC' , id: ' rbac' },
@@ -250,6 +251,107 @@ curl -X POST http://localhost:8787/auth/magic-link/request \
250251
251252---
252253
254+ ## OAuth / Social Login
255+
256+ SonicJS supports OAuth2 social login through the ** OAuth Providers** plugin, allowing users to sign in with GitHub, Google, and other providers using the standard authorization code flow.
257+
258+ ### Supported Providers
259+
260+ | Provider | Scopes | Profile Data |
261+ | ----------| --------| --------------|
262+ | ** GitHub** | ` read:user ` , ` user:email ` | ID, email, name, avatar |
263+ | ** Google** | ` openid ` , ` email ` , ` profile ` | ID, email, name, avatar |
264+
265+ ### Quick Setup
266+
267+ 1 . Create an OAuth app on the provider (GitHub or Google)
268+ 2 . Navigate to ** Admin > Plugins > OAuth Providers**
269+ 3 . Enter your ** Client ID** and ** Client Secret** for each provider
270+ 4 . Toggle ** Enable** and save
271+
272+ ### OAuth Endpoints
273+
274+ <ApiEndpoint method = " GET" path = " /auth/oauth/:provider" description = " Redirect to provider authorization page" auth = { false } />
275+
276+ <ApiEndpoint method = " GET" path = " /auth/oauth/:provider/callback" description = " Handle OAuth callback and authenticate user" auth = { false } />
277+
278+ <ApiEndpoint method = " GET" path = " /auth/oauth/accounts" description = " List linked OAuth accounts for current user" auth = { true } />
279+
280+ <ApiEndpoint method = " POST" path = " /auth/oauth/link" description = " Link an OAuth provider to current account" auth = { true } />
281+
282+ <ApiEndpoint method = " POST" path = " /auth/oauth/unlink" description = " Unlink an OAuth provider from current account" auth = { true } />
283+
284+ ### Usage
285+
286+ Add social login buttons that point to the OAuth authorization endpoints:
287+
288+ <CodeGroup title = " Social Login" >
289+
290+ ``` html
291+ <a href =" /auth/oauth/github" >Sign in with GitHub</a >
292+ <a href =" /auth/oauth/google" >Sign in with Google</a >
293+ ```
294+
295+ ``` javascript
296+ // Programmatic redirect
297+ window .location .href = ' /auth/oauth/github' ;
298+ ```
299+
300+ </CodeGroup >
301+
302+ When a user authenticates via OAuth:
303+ - ** Existing OAuth link** — the user is logged in directly
304+ - ** Email matches an existing account** — the OAuth provider is automatically linked to the existing account
305+ - ** New user** — an account is created from the OAuth profile with the ` viewer ` role
306+
307+ ### Account Linking and Unlinking
308+
309+ Authenticated users can link additional OAuth providers or unlink existing ones:
310+
311+ <CodeGroup title = " Account Linking" >
312+
313+ ``` bash {{title:'Link a provider'}}
314+ curl -X POST http://localhost:8787/auth/oauth/link \
315+ -H " Authorization: Bearer eyJhbGc..." \
316+ -H " Content-Type: application/json" \
317+ -d ' { "provider": "google" }'
318+
319+ # Response: { "redirectUrl": "https://accounts.google.com/..." }
320+ # Redirect the user to the returned URL to complete linking
321+ ```
322+
323+ ``` bash {{title:'Unlink a provider'}}
324+ curl -X POST http://localhost:8787/auth/oauth/unlink \
325+ -H " Authorization: Bearer eyJhbGc..." \
326+ -H " Content-Type: application/json" \
327+ -d ' { "provider": "github" }'
328+
329+ # Response: { "success": true, "message": "github account unlinked" }
330+ ```
331+
332+ </CodeGroup >
333+
334+ <Callout type = " warning" >
335+ A user cannot unlink their only authentication method. If they have no password and only one OAuth link, unlinking is blocked until they set a password or link another provider.
336+ </Callout >
337+
338+ ### Choosing an Authentication Method (Updated)
339+
340+ | Method | Best For | Security | User Experience |
341+ | --------| ----------| ----------| -----------------|
342+ | ** Email + Password** | Traditional apps, maximum control | High | Familiar, requires password management |
343+ | ** OTP Login** | Mobile apps, high-security environments | Very High | Easy, no password needed, limited time |
344+ | ** Magic Link** | Simplified onboarding, newsletters | High | Seamless, requires email access |
345+ | ** OAuth / Social** | Consumer apps, developer tools | High | One-click, no new credentials needed |
346+
347+ <div className = " not-prose mt-4" >
348+ <Button href = " /plugins/oauth" variant = " text" arrow = " right" >
349+ <>Full OAuth plugin documentation</>
350+ </Button >
351+ </div >
352+
353+ ---
354+
253355## User Management
254356
255357### User Registration
0 commit comments