Use when configuring OAuth or social login providers in a Bknd application. Covers Google OAuth, GitHub OAuth, custom OAuth providers, callback URLs, environment variables, and frontend OAuth integration.
npx claudepluginhub cameronapak/bknd-expert --plugin bknd-research-skillsThis skill uses the workspace's default tool permissions.
Configure OAuth authentication providers (Google, GitHub, or custom) in Bknd.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.
Configure OAuth authentication providers (Google, GitHub, or custom) in Bknd.
bknd-setup-auth)UI steps: Admin Panel > Auth > Strategies
bknd.config.tsBknd has pre-configured support for:
| Provider | Type | Scopes |
|---|---|---|
google | OIDC | openid, email, profile |
github | OAuth2 | read:user, user:email |
http://localhost:7654/api/auth/google/callback
// bknd.config.ts
import { defineConfig } from "bknd";
export default defineConfig({
auth: {
enabled: true,
jwt: {
secret: process.env.JWT_SECRET!,
expires: 604800,
},
strategies: {
google: {
type: "oauth",
enabled: true,
config: {
name: "google",
client: {
client_id: process.env.GOOGLE_CLIENT_ID!,
client_secret: process.env.GOOGLE_CLIENT_SECRET!,
},
},
},
},
},
});
# .env
GOOGLE_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-google-client-secret
JWT_SECRET=your-256-bit-secret
http://localhost:7654http://localhost:7654/api/auth/github/callback// bknd.config.ts
import { defineConfig } from "bknd";
export default defineConfig({
auth: {
enabled: true,
jwt: {
secret: process.env.JWT_SECRET!,
expires: 604800,
},
strategies: {
github: {
type: "oauth",
enabled: true,
config: {
name: "github",
client: {
client_id: process.env.GITHUB_CLIENT_ID!,
client_secret: process.env.GITHUB_CLIENT_SECRET!,
},
},
},
},
},
});
# .env
GITHUB_CLIENT_ID=your-github-client-id
GITHUB_CLIENT_SECRET=your-github-client-secret
JWT_SECRET=your-256-bit-secret
Enable multiple providers simultaneously:
// bknd.config.ts
import { defineConfig } from "bknd";
export default defineConfig({
auth: {
enabled: true,
jwt: {
secret: process.env.JWT_SECRET!,
expires: 604800,
},
strategies: {
password: {
type: "password",
enabled: true,
config: {
hashing: "bcrypt",
rounds: 4,
},
},
google: {
type: "oauth",
enabled: true,
config: {
name: "google",
client: {
client_id: process.env.GOOGLE_CLIENT_ID!,
client_secret: process.env.GOOGLE_CLIENT_SECRET!,
},
},
},
github: {
type: "oauth",
enabled: true,
config: {
name: "github",
client: {
client_id: process.env.GITHUB_CLIENT_ID!,
client_secret: process.env.GITHUB_CLIENT_SECRET!,
},
},
},
},
},
});
For providers not built-in (Slack, Discord, Microsoft, etc.):
// bknd.config.ts
import { defineConfig } from "bknd";
export default defineConfig({
auth: {
enabled: true,
strategies: {
slack: {
type: "custom_oauth",
enabled: true,
config: {
name: "slack",
type: "oauth2", // "oauth2" or "oidc"
client: {
client_id: process.env.SLACK_CLIENT_ID!,
client_secret: process.env.SLACK_CLIENT_SECRET!,
token_endpoint_auth_method: "client_secret_basic",
},
as: {
issuer: "https://slack.com",
authorization_endpoint: "https://slack.com/oauth/v2/authorize",
token_endpoint: "https://slack.com/api/oauth.v2.access",
userinfo_endpoint: "https://slack.com/api/users.identity",
scopes_supported: ["openid", "profile", "email"],
},
},
},
},
},
});
Custom OAuth config options:
| Property | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Strategy identifier |
type | "oauth2" | "oidc" | Yes | Protocol type |
client.client_id | string | Yes | OAuth client ID |
client.client_secret | string | Yes | OAuth client secret |
client.token_endpoint_auth_method | string | Yes | Auth method (client_secret_basic) |
as.issuer | string | Yes | Authorization server issuer URL |
as.authorization_endpoint | string | Yes | OAuth authorize URL |
as.token_endpoint | string | Yes | Token exchange URL |
as.userinfo_endpoint | string | No | User info URL |
as.scopes_supported | string[] | No | Available scopes |
Once configured, Bknd exposes these endpoints:
| Method | Path | Description |
|---|---|---|
| POST | /api/auth/{provider}/login | Start OAuth login (cookie mode) |
| POST | /api/auth/{provider}/register | Start OAuth registration (cookie mode) |
| GET | /api/auth/{provider}/login | Get OAuth URL (token mode) |
| GET | /api/auth/{provider}/callback | OAuth callback handler |
// Redirect user to OAuth provider
function loginWithGoogle() {
// POST redirects to Google, callback sets cookie, redirects to pathSuccess
const form = document.createElement("form");
form.method = "POST";
form.action = "http://localhost:7654/api/auth/google/login";
document.body.appendChild(form);
form.submit();
}
import { Api } from "bknd";
const api = new Api({
host: "http://localhost:7654",
storage: localStorage,
});
async function loginWithGoogle() {
// Get OAuth URL
const { data } = await api.auth.login("google");
if (data?.url) {
// Store challenge for callback verification
sessionStorage.setItem("oauth_challenge", data.challenge);
// Redirect to Google
window.location.href = data.url;
}
}
// On callback page, complete the flow
async function handleOAuthCallback() {
const params = new URLSearchParams(window.location.search);
const code = params.get("code");
const challenge = sessionStorage.getItem("oauth_challenge");
if (code && challenge) {
// Complete OAuth flow
const response = await fetch(
`http://localhost:7654/api/auth/google/callback?code=${code}`,
{
headers: {
"X-State-Challenge": challenge,
"X-State-Action": "login",
},
}
);
const { user, token } = await response.json();
api.setToken(token);
sessionStorage.removeItem("oauth_challenge");
}
}
import { useAuth } from "@bknd/react";
function OAuthButtons() {
const { login } = useAuth();
async function handleGoogleLogin() {
const result = await login("google");
if (result.data?.url) {
window.location.href = result.data.url;
}
}
async function handleGitHubLogin() {
const result = await login("github");
if (result.data?.url) {
window.location.href = result.data.url;
}
}
return (
<div>
<button onClick={handleGoogleLogin}>
Continue with Google
</button>
<button onClick={handleGitHubLogin}>
Continue with GitHub
</button>
</div>
);
}
import { useEffect, useState } from "react";
import { useNavigate } from "react-router-dom";
import { Api } from "bknd";
const api = new Api({
host: import.meta.env.VITE_API_URL,
storage: localStorage,
});
function OAuthCallback() {
const navigate = useNavigate();
const [error, setError] = useState<string | null>(null);
useEffect(() => {
const params = new URLSearchParams(window.location.search);
const code = params.get("code");
const challenge = sessionStorage.getItem("oauth_challenge");
if (!code) {
setError("No authorization code received");
return;
}
if (!challenge) {
setError("OAuth session expired. Please try again.");
return;
}
fetch(`${import.meta.env.VITE_API_URL}/api/auth/google/callback?code=${code}`, {
headers: {
"X-State-Challenge": challenge,
"X-State-Action": "login",
},
})
.then((res) => res.json())
.then(({ user, token }) => {
api.setToken(token);
sessionStorage.removeItem("oauth_challenge");
navigate("/dashboard");
})
.catch((err) => {
setError("Authentication failed. Please try again.");
});
}, [navigate]);
if (error) {
return (
<div>
<p>{error}</p>
<a href="/login">Back to login</a>
</div>
);
}
return <div>Completing sign in...</div>;
}
Development:
http://localhost:7654/api/auth/{provider}/callback
Production:
https://api.yourapp.com/api/auth/{provider}/callback
Update redirect URIs in provider dashboard when deploying.
Configure cookie behavior for OAuth flow:
{
auth: {
cookie: {
secure: process.env.NODE_ENV === "production", // HTTPS only in prod
httpOnly: true,
sameSite: "lax", // Required for OAuth redirects
pathSuccess: "/dashboard", // Redirect after login
pathLoggedOut: "/login", // Redirect after logout
},
},
}
Problem: redirect_uri_mismatch error from provider
Fix: Ensure callback URL exactly matches provider dashboard:
# Provider dashboard (Google/GitHub)
http://localhost:7654/api/auth/google/callback
# Must match Bknd host configuration
host: "http://localhost:7654"
Problem: OAuth login fails silently
Fix: Verify all required env vars are set:
# Required for Google OAuth
GOOGLE_CLIENT_ID=...
GOOGLE_CLIENT_SECRET=...
# Required for GitHub OAuth
GITHUB_CLIENT_ID=...
GITHUB_CLIENT_SECRET=...
# Always required
JWT_SECRET=...
Problem: CORS error when calling OAuth endpoints
Fix: Configure CORS on backend:
{
server: {
cors: {
origin: ["http://localhost:3000"], // Your frontend URL
credentials: true,
},
},
}
Problem: "User signed up with different strategy"
Cause: User has existing account with different auth method
Solution: Users can only have ONE strategy. Guide them to use their original login method or implement account linking (requires custom code).
Problem: Cookie not received after OAuth callback
Fix: Ensure secure cookie settings:
{
auth: {
cookie: {
secure: false, // Set false for localhost (no HTTPS)
sameSite: "lax", // Required for OAuth redirects
},
},
}
Problem: Provider rejects scope request
Fix: Use only scopes from scopes_supported:
// Google OIDC defaults
scopes_supported: ["openid", "email", "profile"]
// GitHub OAuth2 defaults
scopes_supported: ["read:user", "user:email"]
Test OAuth setup:
1. Check available strategies:
curl http://localhost:7654/api/auth/strategies
Response should include your OAuth providers:
{
"strategies": ["password", "google", "github"],
"basepath": "/api/auth"
}
2. Test OAuth URL generation:
curl http://localhost:7654/api/auth/google/login
Response:
{
"url": "https://accounts.google.com/o/oauth2/v2/auth?...",
"challenge": "...",
"action": "login"
}
3. Complete full OAuth flow:
pathSuccessapi/auth/me returns userDO:
sameSite: "lax" for cookie (required for OAuth redirects)DON'T:
secure: true cookie on localhost (no HTTPS)