Generic OAuth2 Setup
Introduction
Section titled âIntroductionâThe Capgo Social Login plugin supports generic OAuth2 authentication, allowing you to integrate with any OAuth2-compliant provider. This includes:
- GitHub
- Azure AD / Microsoft Entra ID
- Auth0
- Okta
- Keycloak
- Custom OAuth2 servers
- Any OpenID Connect (OIDC) provider
Key Feature: You can configure multiple OAuth2 providers simultaneously, each with its own settings.
Prerequisites
Section titled âPrerequisitesâBefore you begin, youâll need:
- Your OAuth2 providerâs client ID (App ID)
- Authorization endpoint URL
- Token endpoint URL (for authorization code flow)
- A configured redirect URL in your OAuth2 providerâs dashboard
Multi-Provider Configuration
Section titled âMulti-Provider ConfigurationâThe plugin supports configuring multiple OAuth2 providers at once. Each provider is identified by a unique key (e.g., github, azure, auth0):
import { SocialLogin } from '@capgo/capacitor-social-login';
await SocialLogin.initialize({ oauth2: { // GitHub OAuth2 github: { appId: 'your-github-client-id', authorizationBaseUrl: 'https://github.com/login/oauth/authorize', accessTokenEndpoint: 'https://github.com/login/oauth/access_token', redirectUrl: 'myapp://oauth/github', scope: 'read:user user:email', pkceEnabled: true, }, // Azure AD OAuth2 azure: { appId: 'your-azure-client-id', authorizationBaseUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize', accessTokenEndpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token', redirectUrl: 'myapp://oauth/azure', scope: 'openid profile email', pkceEnabled: true, resourceUrl: 'https://graph.microsoft.com/v1.0/me', }, // Auth0 OAuth2 auth0: { appId: 'your-auth0-client-id', authorizationBaseUrl: 'https://your-tenant.auth0.com/authorize', accessTokenEndpoint: 'https://your-tenant.auth0.com/oauth/token', redirectUrl: 'myapp://oauth/auth0', scope: 'openid profile email offline_access', pkceEnabled: true, additionalParameters: { audience: 'https://your-api.example.com', }, }, },});Configuration Options
Section titled âConfiguration Optionsâ| Option | Type | Required | Description |
|---|---|---|---|
appId | string | Yes | OAuth2 Client ID from your provider |
authorizationBaseUrl | string | Yes | Authorization endpoint URL |
accessTokenEndpoint | string | No* | Token endpoint URL (*Required for code flow) |
redirectUrl | string | Yes | Callback URL for OAuth redirect |
responseType | 'code' | 'token' | No | OAuth flow type (default: 'code') |
pkceEnabled | boolean | No | Enable PKCE (default: true) |
scope | string | No | Default scopes to request |
resourceUrl | string | No | URL to fetch user profile after auth |
additionalParameters | Record<string, string> | No | Extra params for authorization URL |
additionalResourceHeaders | Record<string, string> | No | Extra headers for resource request |
logoutUrl | string | No | URL to open on logout |
logsEnabled | boolean | No | Enable debug logging (default: false) |
Using OAuth2 Login
Section titled âUsing OAuth2 Loginâ// Login with GitHubconst githubResult = await SocialLogin.login({ provider: 'oauth2', options: { providerId: 'github', // Required: must match key from initialize() },});
// Login with Azure ADconst azureResult = await SocialLogin.login({ provider: 'oauth2', options: { providerId: 'azure', scope: 'openid profile email', // Optional: override default scopes },});
console.log('Access Token:', azureResult.result.accessToken?.token);console.log('ID Token:', azureResult.result.idToken);console.log('User Data:', azureResult.result.resourceData);Login Response
Section titled âLogin ResponseâThe login response includes:
interface OAuth2LoginResponse { providerId: string; // The provider ID used for login accessToken: { token: string; // The access token tokenType: string; // Usually 'bearer' expires?: string; // Expiration timestamp refreshToken?: string; // Refresh token if available } | null; idToken: string | null; // JWT ID token (for OIDC providers) refreshToken: string | null; // Refresh token resourceData: Record<string, unknown> | null; // User profile from resourceUrl scope: string[]; // Granted scopes tokenType: string; // Token type expiresIn: number | null; // Expiration in seconds}Check Login Status
Section titled âCheck Login Statusâconst status = await SocialLogin.isLoggedIn({ provider: 'oauth2', providerId: 'github', // Required for OAuth2});console.log('Is logged in:', status.isLoggedIn);await SocialLogin.logout({ provider: 'oauth2', providerId: 'github', // Required for OAuth2});Refresh Token
Section titled âRefresh Tokenâawait SocialLogin.refresh({ provider: 'oauth2', options: { providerId: 'github', // Required for OAuth2 },});Get Authorization Code / Access Token
Section titled âGet Authorization Code / Access Tokenâconst authCode = await SocialLogin.getAuthorizationCode({ provider: 'oauth2', providerId: 'github',});console.log('Access Token:', authCode.accessToken);Provider-Specific Setup
Section titled âProvider-Specific Setupâ-
Create an OAuth App in GitHub
Go to GitHub Developer Settings and create a new OAuth App.
-
Configure the OAuth App
- Application name: Your app name
- Homepage URL: Your appâs homepage
- Authorization callback URL: Your redirect URL (e.g.,
myapp://oauth/github)
-
Get your Client ID
Copy the Client ID from your OAuth App settings.
-
Initialize in your app
await SocialLogin.initialize({oauth2: {github: {appId: 'your-github-client-id',authorizationBaseUrl: 'https://github.com/login/oauth/authorize',accessTokenEndpoint: 'https://github.com/login/oauth/access_token',redirectUrl: 'myapp://oauth/github',scope: 'read:user user:email',pkceEnabled: true,resourceUrl: 'https://api.github.com/user',},},});
Azure AD / Microsoft Entra ID
Section titled âAzure AD / Microsoft Entra IDâ-
Register an application in Azure Portal
Go to Azure Portal > Azure Active Directory > App registrations > New registration.
-
Configure the application
- Name: Your app name
- Supported account types: Choose based on your needs
- Redirect URI: Select âMobile and desktop applicationsâ and add your redirect URL
-
Get your Application (client) ID
Copy the Application (client) ID from the Overview page.
-
Initialize in your app
await SocialLogin.initialize({oauth2: {azure: {appId: 'your-azure-client-id',authorizationBaseUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',accessTokenEndpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',redirectUrl: 'myapp://oauth/azure',scope: 'openid profile email User.Read',pkceEnabled: true,resourceUrl: 'https://graph.microsoft.com/v1.0/me',},},});
-
Create an application in Auth0
Go to Auth0 Dashboard > Applications > Create Application.
-
Configure the application
- Name: Your app name
- Application Type: Native
- Allowed Callback URLs: Your redirect URL
-
Get your Client ID and Domain
Copy the Client ID and Domain from the Settings tab.
-
Initialize in your app
await SocialLogin.initialize({oauth2: {auth0: {appId: 'your-auth0-client-id',authorizationBaseUrl: 'https://your-tenant.auth0.com/authorize',accessTokenEndpoint: 'https://your-tenant.auth0.com/oauth/token',redirectUrl: 'myapp://oauth/auth0',scope: 'openid profile email offline_access',pkceEnabled: true,additionalParameters: {audience: 'https://your-api.example.com', // Optional: for API access},logoutUrl: 'https://your-tenant.auth0.com/v2/logout?client_id=your-auth0-client-id',},},});
-
Create an application in Okta
Go to your Okta Admin Console > Applications > Create App Integration.
-
Configure the application
- Sign-in method: OIDC
- Application type: Native Application
- Sign-in redirect URIs: Your redirect URL
-
Get your Client ID
Copy the Client ID from the application settings.
-
Initialize in your app
await SocialLogin.initialize({oauth2: {okta: {appId: 'your-okta-client-id',authorizationBaseUrl: 'https://your-domain.okta.com/oauth2/default/v1/authorize',accessTokenEndpoint: 'https://your-domain.okta.com/oauth2/default/v1/token',redirectUrl: 'myapp://oauth/okta',scope: 'openid profile email offline_access',pkceEnabled: true,resourceUrl: 'https://your-domain.okta.com/oauth2/default/v1/userinfo',},},});
Platform-Specific Configuration
Section titled âPlatform-Specific Configurationâ-
Configure URL Scheme
Add your custom URL scheme to
ios/App/App/Info.plist:<key>CFBundleURLTypes</key><array><dict><key>CFBundleURLSchemes</key><array><string>myapp</string></array></dict></array> -
Handle Universal Links (Optional)
For universal links, configure Associated Domains in your Xcode project.
Android
Section titled âAndroidâ-
Configure Intent Filter
Add an intent filter for your redirect URL in
android/app/src/main/AndroidManifest.xml:<activityandroid:name="ee.forgr.capacitor.social.login.OAuth2LoginActivity"android:exported="true"android:launchMode="singleTask"><intent-filter><action android:name="android.intent.action.VIEW" /><category android:name="android.intent.category.DEFAULT" /><category android:name="android.intent.category.BROWSABLE" /><data android:scheme="myapp" android:host="oauth" /></intent-filter></activity>
For web applications, OAuth2 flows typically use popup windows:
// Initialize with web-compatible redirect URLsawait SocialLogin.initialize({ oauth2: { github: { appId: 'your-github-client-id', authorizationBaseUrl: 'https://github.com/login/oauth/authorize', accessTokenEndpoint: 'https://github.com/login/oauth/access_token', redirectUrl: 'http://localhost:3000/oauth/callback', // Web redirect scope: 'read:user user:email', pkceEnabled: true, }, },});For web, you may need to handle CORS issues with the token endpoint. Consider using a backend proxy for the token exchange.
Security Best Practices
Section titled âSecurity Best Practicesâ-
Always Use PKCE
PKCE (Proof Key for Code Exchange) protects against authorization code interception attacks. Keep
pkceEnabled: true(default). -
Use Authorization Code Flow
Prefer
responseType: 'code'over'token'(implicit flow). The authorization code flow is more secure. -
Validate Tokens on Your Backend
Always validate access tokens and ID tokens on your backend server before trusting them.
-
Use HTTPS
In production, always use HTTPS for redirect URLs and all endpoints.
-
Secure Token Storage
Use @capgo/capacitor-persistent-account for secure token storage on native platforms.
-
Rotate Refresh Tokens
If your provider supports it, enable refresh token rotation for additional security.
Troubleshooting
Section titled âTroubleshootingâCommon Issues
Section titled âCommon Issuesâ-
âproviderId is requiredâ error
Make sure youâre passing the
providerIdin all OAuth2 method calls:// Correctawait SocialLogin.login({provider: 'oauth2',options: { providerId: 'github' },});// Incorrect - missing providerIdawait SocialLogin.login({provider: 'oauth2',options: {},}); -
âOAuth2 provider âxxxâ not configuredâ error
Ensure youâve initialized the provider before attempting to login:
// Initialize firstawait SocialLogin.initialize({oauth2: {github: { /* config */ },},});// Then loginawait SocialLogin.login({provider: 'oauth2',options: { providerId: 'github' },}); -
Redirect URL mismatch
- Verify the redirect URL in your OAuth providerâs dashboard matches exactly what youâve configured
- Check for trailing slashes and protocol (http vs https)
- For mobile apps, ensure the URL scheme is registered
-
Token exchange fails
- Verify
accessTokenEndpointis correct - Check if your provider requires a client secret (public clients usually donât)
- Enable
logsEnabled: trueto see detailed logs
- Verify
-
User cancellation not handled
Wrap your login call in try-catch to handle cancellations:
try {const result = await SocialLogin.login({provider: 'oauth2',options: { providerId: 'github' },});} catch (error) {if (error.message.includes('cancelled')) {console.log('User cancelled login');} else {console.error('Login failed:', error);}}
Debug Mode
Section titled âDebug ModeâEnable debug logging to troubleshoot issues:
await SocialLogin.initialize({ oauth2: { github: { // ... other config logsEnabled: true, // Enable debug logs }, },});This will output detailed logs about the OAuth flow, including authorization URLs and token exchanges.