Add Social Login docs and link from auth

alegauss · alegauss · commit c97d0b7c9b11 · 2026-04-14T10:58:25.000-03:00
Introduce a new Social Login (OAuth2) guide documenting Google, GitHub, and Microsoft provider setup, redirect URIs, user profile behavior, and troubleshooting. Update the main authentication page to list Social Login as a supported mode and add instructions/snippet for enabling providers. Add the new page to the Turing sidebar for discoverability.
diff --git a/docs-turing/security-authentication.md b/docs-turing/security-authentication.md
@@ -6,9 +6,15 @@ description: Native authentication for Turing ES — session-based admin console
 
 # Authentication
 
-Turing ES supports two authentication modes. **Native authentication** is the default and requires no external dependencies. **Keycloak OAuth2 / OpenID Connect** is the recommended mode for production SSO environments.
+Turing ES supports three authentication modes:
 
-This page covers **native authentication** — the session-based admin console login and the API Key mechanism for REST API access. For the full Keycloak production setup, see [Security & Keycloak](./security-keycloak.md).
+| Mode | Best for | External dependency |
+|---|---|---|
+| **Native** (default) | Development, simple setups | None |
+| **Social Login (OAuth2)** | Small teams, GitHub/Google/Microsoft accounts | Provider OAuth App |
+| **Keycloak SSO** | Enterprise production with LDAP/AD, MFA, RBAC | Keycloak server |
+
+This page covers **native authentication**. For social login with Google, GitHub, or Microsoft, see [Social Login (OAuth2)](./security-social-login.md). For the full Keycloak production setup, see [Security & Keycloak](./security-keycloak.md).
 
 ---
 
@@ -41,6 +47,25 @@ API Token values are encrypted at rest in the database. The encryption key is se
 
 ---
 
+## Switching to Social Login (OAuth2)
+
+For teams using Google, GitHub, or Microsoft, you can enable social login buttons by adding the provider configuration in `application.yaml`:
+
+```yaml
+spring:
+  security:
+    oauth2:
+      client:
+        registration:
+          github:
+            client-id: YOUR_CLIENT_ID
+            client-secret: YOUR_CLIENT_SECRET
+```
+
+The login page automatically shows buttons only for configured providers. See [Social Login (OAuth2)](./security-social-login.md) for complete setup instructions for each provider.
+
+---
+
 ## Switching to Keycloak SSO
 
 For production environments with SSO requirements, Turing ES can delegate authentication to Keycloak via OAuth2 / OpenID Connect. Enable it with:
@@ -57,6 +82,7 @@ See [Security & Keycloak](./security-keycloak.md) for the full 6-step production
 
 | Page | Description |
 |---|---|
+| [Social Login (OAuth2)](./security-social-login.md) | Google, GitHub, and Microsoft social login |
 | [Security & Keycloak](./security-keycloak.md) | Full production setup with Keycloak OAuth2/OIDC |
 | [Administration Guide](./administration-guide.md) | Managing users, groups, roles, and API tokens |
 | [REST API](./rest-api.md) | Full REST API reference including authentication examples |
diff --git a/docs-turing/security-social-login.md b/docs-turing/security-social-login.md
@@ -0,0 +1,210 @@
+---
+sidebar_position: 4
+title: Social Login (OAuth2)
+description: Configure Google, GitHub, and Microsoft social login for Turing ES using Spring Security OAuth2.
+---
+
+# Social Login (OAuth2)
+
+Turing ES supports **social login** via OAuth2 with Google, GitHub, and Microsoft. When configured, users can sign in with their existing accounts from these providers — no separate password required.
+
+This is ideal for development environments, small teams, and scenarios where a full Keycloak deployment is not needed. For enterprise SSO with LDAP/AD federation, MFA, and centralized user management, see [Security & Keycloak](./security-keycloak.md).
+
+---
+
+## How It Works
+
+```mermaid
+sequenceDiagram
+    participant User
+    participant Turing ES
+    participant OAuth2 Provider
+
+    User->>Turing ES: Click "Sign in with Google"
+    Turing ES->>OAuth2 Provider: Redirect to authorization
+    OAuth2 Provider->>User: Show consent screen
+    User->>OAuth2 Provider: Approve
+    OAuth2 Provider->>Turing ES: Redirect with authorization code
+    Turing ES->>OAuth2 Provider: Exchange code for token + user info
+    Turing ES->>User: Create session, redirect to /admin
+```
+
+When a user signs in via a social provider for the first time, Turing ES **automatically creates a local user** with the profile information from the provider (name, email, avatar). Subsequent logins update the profile data.
+
+---
+
+## Prerequisites
+
+| Requirement | Details |
+|---|---|
+| `turing.authentication.thirdparty` | Must be `true` (default) |
+| Provider OAuth App | Create an OAuth App/Client in the provider's console |
+| Redirect URI | `http://<host>:<port>/login/oauth2/code/<provider>` |
+
+---
+
+## Configuration
+
+Add the provider registration under `spring.security.oauth2.client` in your `application.yaml`:
+
+### Google
+
+1. Go to [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
+2. Create an **OAuth 2.0 Client ID** (Web application)
+3. Add the authorized redirect URI: `http://localhost:2700/login/oauth2/code/google`
+
+```yaml
+spring:
+  security:
+    oauth2:
+      client:
+        registration:
+          google:
+            client-id: YOUR_GOOGLE_CLIENT_ID
+            client-secret: YOUR_GOOGLE_CLIENT_SECRET
+```
+
+:::tip Scopes
+Spring Security auto-configures the Google provider with `openid`, `profile`, and `email` scopes — no need to set them manually.
+:::
+
+### GitHub
+
+1. Go to [GitHub Developer Settings > OAuth Apps](https://github.com/settings/developers)
+2. Click **New OAuth App**
+3. Set **Homepage URL** to `http://localhost:2700`
+4. Set **Authorization callback URL** to `http://localhost:2700/login/oauth2/code/github`
+
+```yaml
+spring:
+  security:
+    oauth2:
+      client:
+        registration:
+          github:
+            client-id: YOUR_GITHUB_CLIENT_ID
+            client-secret: YOUR_GITHUB_CLIENT_SECRET
+```
+
+:::note GitHub specifics
+- GitHub does not provide a separate first/last name — Turing splits the `name` attribute automatically.
+- Email may be `null` if the user's GitHub email is private. The email field is hidden in the profile page when empty.
+- The username is the GitHub `login` handle.
+:::
+
+### Microsoft (Entra ID / Azure AD)
+
+1. Go to [Azure Portal > App registrations](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps)
+2. Register a new application
+3. Under **Authentication**, add a **Web** redirect URI: `http://localhost:2700/login/oauth2/code/microsoft`
+4. Under **Certificates & secrets**, create a new client secret
+
+```yaml
+spring:
+  security:
+    oauth2:
+      client:
+        registration:
+          microsoft:
+            client-id: YOUR_MICROSOFT_CLIENT_ID
+            client-secret: YOUR_MICROSOFT_CLIENT_SECRET
+            scope: openid,profile,email
+            authorization-grant-type: authorization_code
+            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
+        provider:
+          microsoft:
+            issuer-uri: https://login.microsoftonline.com/common/v2.0
+```
+
+---
+
+## Multiple Providers
+
+You can configure any combination of providers simultaneously. The login page **automatically shows only the buttons for configured providers**:
+
+```yaml
+spring:
+  security:
+    oauth2:
+      client:
+        registration:
+          google:
+            client-id: ...
+            client-secret: ...
+          github:
+            client-id: ...
+            client-secret: ...
+          microsoft:
+            client-id: ...
+            client-secret: ...
+        provider:
+          microsoft:
+            issuer-uri: https://login.microsoftonline.com/common/v2.0
+```
+
+If only GitHub is configured, only the GitHub button appears. If none are configured, the social login section is hidden entirely.
+
+---
+
+## Redirect URIs Reference
+
+| Provider | Redirect URI |
+|---|---|
+| Google | `http://<host>:<port>/login/oauth2/code/google` |
+| GitHub | `http://<host>:<port>/login/oauth2/code/github` |
+| Microsoft | `http://<host>:<port>/login/oauth2/code/microsoft` |
+
+The pattern is always: `{baseUrl}/login/oauth2/code/{registrationId}`
+
+For production with HTTPS: `https://turing.example.com/login/oauth2/code/google`
+
+---
+
+## User Profile Behavior
+
+When logged in via a social provider:
+
+- **Profile fields are read-only** — name, email, and username are managed by the provider
+- **Avatar can still be customized** in Turing
+- **Password section is hidden** — authentication is handled by the provider
+- **The provider name is displayed** on the profile page (e.g., "github", "google")
+
+---
+
+## Configuration Properties
+
+| Property | Default | Description |
+|---|---|---|
+| `turing.authentication.thirdparty` | `true` | Enable third-party OAuth2 login buttons |
+| `spring.security.oauth2.client.registration.<provider>.client-id` | — | OAuth2 Client ID from the provider |
+| `spring.security.oauth2.client.registration.<provider>.client-secret` | — | OAuth2 Client Secret from the provider |
+
+---
+
+## Troubleshooting
+
+### 404 on provider authorization page
+
+The Client ID is likely incorrect. Double-check the value in `application.yaml` matches the one in the provider's console.
+
+### User profile shows empty name
+
+The provider attributes may use different field names. Turing handles Google (`given_name`, `family_name`), GitHub (`login`, `name`), and Microsoft (`given_name`, `family_name`) automatically. For other providers, the `name` attribute is split into first/last name.
+
+### Email is empty (GitHub)
+
+GitHub may not expose the user's email if it is set to private. This is by design — the email field is hidden in the profile page when empty.
+
+### Login redirects to wrong page
+
+The default success URL is `/admin`. If using a different frontend path, ensure the Spring Security configuration matches.
+
+---
+
+## Related Pages
+
+| Page | Description |
+|---|---|
+| [Authentication](./security-authentication.md) | Native authentication and API Keys |
+| [Security & Keycloak](./security-keycloak.md) | Full Keycloak production setup with SSO |
+| [Configuration Reference](./configuration-reference.md) | All configuration properties |
diff --git a/package-lock.json b/package-lock.json
diff --git a/sidebars-turing.ts b/sidebars-turing.ts
@@ -88,6 +88,7 @@ const sidebars: SidebarsConfig = {
           label: "Security",
           items: [
             "security-authentication",
+            "security-social-login",
             "security-keycloak",
           ],
         },
