OAuth2 Configuration
Understand the generic OAuth2 configuration in Portabase.
Portabase supports dynamic addition of OAuth2 providers through a series of AUTH_SOCIAL_* variables. This page explains the general operation, available variables, and role management.
Quick Setup
Enable a provider
Define a Client ID and Client Secret pair for the provider of your choice (e.g., Google, GitHub).
Deploy
Apply these environment variables to your Portabase instance.
Configure Callback
Add the redirect URL in the provider's console:
https://<your-domain>/api/auth/callback/<providerId>
Verify
Test the connection from your dashboard login page.
Configuration Variables
You can configure a "default" provider via AUTH_SOCIAL_* or multiple providers via AUTH_SOCIAL_<NAME>_*.
Prop
Type
Dynamic Providers
To add multiple services, use the AUTH_SOCIAL_<PROVIDER>_* prefix. The providerId will be the lowercase version of the prefix.
# Example for Google
AUTH_SOCIAL_GOOGLE_CLIENT="xxx"
AUTH_SOCIAL_GOOGLE_SECRET="yyy"
AUTH_SOCIAL_GOOGLE_TITLE="Google Enterprise"If you use standard names (google, github, discord, etc.), Portabase automatically applies the corresponding icon and brand color.
Role Management
The AUTH_ROLE_MAP variable allows mapping your provider's groups/roles to Portabase's internal roles. It uses the format remote_role:portabase_role, separated by commas.
admin:admin: Maps the remote "admin" role to the local "admin" role.default:user: Sets the default role if no match is found.
Full example: admin:admin,editor:member,default:user
Configuration Guides
Choose a provider to see its specific configuration steps: