You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-**Issuer**: the issuer of the response (e.g. `https://accounts.google.com`)
29
29
-**Client ID**: the client ID of your application
30
30
-**Client secret**: the client secret of your application
31
+
-**Scopes**: the scopes to request from the identity provider (e.g., `openid`, `profile`, `email`). Some providers also support a groups claim, which can be included by adding the `groups` scope. This is useful if you want to enable [**group syncing**](#group-syncing) as part of the authentication process.
31
32
32
33
User information field mapping:
33
34
34
35
-**Email**: the claims field to be used as the Bytebase user email address (e.g. `email`)
35
36
-**Display name**: the claims field to be used as the Bytebase user display name (e.g. `name`, optional)
36
37
-**Phone**: the claims field to be used as the Bytebase user phone number (e.g. `phone`, optional)
38
+
-**Groups**: the claims field to be used as the Bytebase user groups (e.g. `groups`, optional). If this field is set, Bytebase will automatically perform [**group syncing**](#group-syncing) by default.
37
39
38
40
### Google
39
41
@@ -132,6 +134,18 @@ In some GitLab self-hosted setups, the **Issuer** is `http://gitlab.acme.com` (H
132
134
-**Email**: `email`
133
135
-**Display name**: `name`
134
136
137
+
## Group Syncing
138
+
139
+
Bytebase supports syncing identity provider (IdP) groups with Bytebase user groups for providers that include a `groups` claim in their tokens.
140
+
141
+
Group syncing is based on a one-to-one match using the **group title**. When a user logs in, Bytebase compares the group names from the IdP with existing Bytebase user group titles. If a match is found, the user is automatically added as a **Member** to the corresponding Bytebase user group.
142
+
143
+
To ensure security and consistency, Bytebase also **automatically removes the user from any Bytebase groups that are not present in their IdP group claims**.
144
+
145
+
Group syncing occurs during login, so if group membership changes in your IdP, users must log out and log back in for the changes to take effect.
146
+
147
+
Some OIDC providers like **Okta** support the `groups` claim, but you’ll need to first **customize the tokens returned from Okta to include the `groups` claim**. For more information, refer to [Customize tokens returned from Okta with a groups claim](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/).
0 commit comments