This is an automated email from the ASF dual-hosted git repository.
harikrishna-patnala pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/main by this push:
new fa79c720 Add OAuth2 configuration details for domain-specific
providers (#647)
fa79c720 is described below
commit fa79c720fe01d4c3cdf0a223d083d8d7d3f266ba
Author: Daman Arora <[email protected]>
AuthorDate: Thu Jul 9 07:01:45 2026 -0400
Add OAuth2 configuration details for domain-specific providers (#647)
---
source/adminguide/accounts.rst | 101 +++++++++++++++++++++++++++++++++++++++--
1 file changed, 98 insertions(+), 3 deletions(-)
diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst
index b70515c0..399fa504 100644
--- a/source/adminguide/accounts.rst
+++ b/source/adminguide/accounts.rst
@@ -653,14 +653,17 @@ granting access to resources. CloudStack supports OAuth2
authentication wherein
CloudStack without using username and password. CloudStack currently supports
Google and GitHub providers.
Other OAuth2 providers can be easily integrated with CloudStack using its
plugin framework.
-For admins, the following are the settings available at global level to
configure OAuth2.
+For admins, the following are the settings available to configure OAuth2.
``oauth2.enabled``
+can be configured at both the global and domain scopes; ``oauth2.plugins`` and
+``oauth2.plugins.exclude`` are global-only.
.. cssclass:: table-striped table-bordered table-hover
================================================ ================
===================================================================
-Global setting Default values
Description
+Setting Default values
Description
================================================ ================
===================================================================
-oauth2.enabled false
Indicates whether OAuth plugin is enabled or not
+oauth2.enabled false
Indicates whether OAuth plugin is enabled or not. Configurable at
+ global
and domain scopes (see Per-Domain OAuth Providers below).
oauth2.plugins google,github List of
OAuth plugins
oauth2.plugins.exclude List of
OAuth plugins which are excluded
================================================ ================
===================================================================
@@ -730,6 +733,98 @@ has to be provided in the login form and then click on
OAuth login.
:align: center
:alt: Login page for user under specific domain
+Per-Domain OAuth Providers
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In addition to globally registered OAuth providers, admins can register OAuth
providers
+at the domain level. This is useful in multi-tenant deployments where each
domain
+(representing a customer, department, or team) needs to authenticate users
against
+its own identity provider — for example, two domains can each have their own
GitHub
+OAuth application, with separate client IDs and secrets.
+
+A provider registered without a domain remains a *global* provider and is
available
+to all users. A provider registered against a domain is a *domain-specific*
provider
+and is only used when the user logs in under that domain.
+
+Enabling OAuth for a domain
+'''''''''''''''''''''''''''
+
+The ``oauth2.enabled`` setting uses a strict scope at the domain level:
domains do
+**not** inherit the global value. Each domain that should use OAuth must
explicitly
+set ``oauth2.enabled=true`` at the domain scope, regardless of whether the
global
+value is ``true`` or ``false``. The table below summarizes the resulting
behavior:
+
+.. cssclass:: table-striped table-bordered table-hover
+
+===================== ===================== ==========================
+Global oauth2.enabled Domain oauth2.enabled OAuth available in domain?
+===================== ===================== ==========================
+false not set No
+false true Yes
+false false No
+true not set No
+true true Yes
+true false No
+===================== ===================== ==========================
+
+.. TODO: Add screenshot showing the oauth2.enabled setting at the domain scope
(Domain details > Settings tab, with oauth2.enabled toggled to true).
+
+Registering a domain-specific provider
+''''''''''''''''''''''''''''''''''''''
+
+The "OAuth configuration" sub-section under "Configuration" now accepts an
optional
+**Domain** field when registering a provider. Leave the Domain field empty to
register
+a global provider, or pick a domain to register a provider that only applies
to users
+of that domain.
+
+The same fields described in the previous section (Provider, Description,
Provider
+Client ID, Redirect URI, Secret Key) apply. Only one provider of a given type
+(``google``, ``github``, ...) may exist per domain — and at most one global
provider
+of each type — so attempting to register a duplicate will be rejected.
+
+.. TODO: Add screenshot of the "Register OAuth provider" dialog showing the
new Domain selector field, with a domain selected.
+
+.. TODO: Add screenshot of the OAuth configuration list view showing both
global and domain-specific providers, with the new Domain column populated for
domain-specific entries.
+
+CloudMonkey API call to register a domain-specific provider:
+
+ - register oauthprovider provider=github description="Engineering GitHub"
+ clientid="Iv1.abc123" secretkey="secret456"
+ redirecturi="https://cloudstack.example.com/?verifyOauth"
+ domainid=<domain-uuid>
+
+To list providers visible to a particular domain (returns both that domain's
+providers and any global providers):
+
+ - list oauthproviders domainid=<domain-uuid>
+
+Login behavior
+''''''''''''''
+
+When the login page first loads, only global OAuth providers are shown on the
OAuth
+Login tab. Once the user enters a domain path in the login form, the UI
re-queries
+for providers visible to that domain and updates the buttons accordingly:
+
+ - If the domain has its own provider configured, the domain-specific
provider
+ buttons replace the global ones for that login attempt.
+
+ - If the domain has no providers configured and OAuth is enabled at that
domain,
+ the message "No OAuth providers configured for this domain" is shown.
+
+ - If OAuth is not enabled for that domain (``oauth2.enabled`` is not
``true`` at
+ the domain scope), the OAuth tab is not usable for that domain.
+
+ - If no global providers exist but at least one domain has providers, the
OAuth
+ tab prompts the user to enter their domain to see available providers.
+
+.. TODO: Add screenshot of the login page showing global OAuth providers
(default state, no domain entered).
+
+.. TODO: Add screenshot of the login page after a domain path has been
entered, showing the domain-specific OAuth provider buttons.
+
+The selected provider's stored credentials (client ID and secret) for the
resolved
+domain are then used to exchange the OAuth authorization code for an access
token
+and identify the user by email.
+
Using Two Factor Authentication For Users
------------------------------------------