Social login
Per-tenant social/OIDC providers with JIT provisioning and account linking via external identities.
Qeet ID supports social login through generic OIDC-discovery providers configured per tenant. Any provider that publishes a standard OIDC discovery document (Google, Microsoft, GitHub via OIDC, Okta, Auth0, and more) can be wired up without provider-specific code.
This is fully implemented
Social login is live — not a stub. First-time sign-ins are JIT-provisioned and can be linked to existing users by verified email.
Configure a provider
Register a provider on a tenant with its OIDC issuer/discovery URL plus the OAuth client credentials you obtained from that provider.
/v1/social/providersAdd a provider to the caller's tenant/v1/tenants/{tenantID}/social/providersAdd a provider (tenant-scoped)Sign-in flow
The standard OAuth redirect dance: start sends the user to the provider; the callback exchanges the code and signs them in.
Start
/v1/social/{provider}/startRedirect to the providerCallback
/v1/social/{provider}/callbackExchange code → token pairThere's also a server-side POST /v1/social/exchange for exchanging a provider
token/code directly when you control the OAuth flow yourself.
Account linking & external identities
When someone signs in socially for the first time, Qeet ID JIT-provisions a user and records an external identity linking that provider account to the Qeet ID user. If a user with the same verified email already exists, the identity is linked to them. Users (and admins) can list and unlink identities.
/v1/users/{userID}/social/identitiesList a user's linked identities/v1/social/identities/{id}Unlink an external identitySocial providers, SAML connections, and LDAP all attach to the user through the same external-identity model — see Core concepts → Users.