Callback URLs
Use the same public base URL forAUTH_PUBLIC_BASE_URL and every enabled
provider callback. Register the exact callback URL with the provider console.
Google and Facebook provider consoles require the redirect URI to match what
the auth request sends. Apple Sign in with Apple for web requires an absolute
return URL with scheme, host, and path; use a real HTTPS domain for Apple live
smoke instead of
localhost or an IP address.
Environment
Start fromexamples/fullstack-app/.env.example, keep password login enabled, and
enable only the provider being tested.
AUTH_APPLE_TEAM_ID, AUTH_APPLE_KEY_ID, and AUTH_APPLE_PRIVATE_KEY, or set
AUTH_APPLE_GENERATED_CLIENT_SECRET to a pre-generated client-secret JWT.
For HTTPS deployments, keep AUTH_COOKIE_SECURE=true so browser callback and
password-login sessions are issued with Secure, HttpOnly, and
SameSite=Lax cookie attributes. Local HTTP development can keep it false.
Provider Setup
Shared App Requirements
Use a real HTTPS host before creating provider apps. Provider consoles validate redirect URLs against what the auth stack sends at runtime, so these values must agree exactly:
Do not use
localhost, 127.0.0.1, or an IP address for live provider smoke.
For local development, put the Spin app behind a trusted HTTPS tunnel, or
deploy the app to a disposable HTTPS test host.
After the provider app is created, copy values into
examples/fullstack-app/.env. Keep .env local and uncommitted. The Makefile and
the OAuth verification scripts load this file automatically.
Google OAuth Setup
Use Google Cloud Console for the Google provider.- Open the Google Cloud Console and select or create the project that owns the auth stack.
- Configure the OAuth consent screen. For early testing, keep the app in a testing state and add the test Google accounts that will complete browser smoke.
- Go to APIs & Services > Credentials.
- Create an OAuth client ID with application type Web application.
-
Add this authorized redirect URI exactly:
- Save the client and copy the client ID and client secret.
-
Set these values in
examples/fullstack-app/.env:
.env.example by default.
Override AUTH_GOOGLE_AUTHORIZATION_URL, AUTH_GOOGLE_TOKEN_URL, or
AUTH_GOOGLE_JWKS_URL only when Google changes the endpoint or a test
environment requires it.
Facebook Login Setup
Use Meta for Developers for the Facebook provider.- Open Meta for Developers and create or select the app that owns Facebook Login.
- In the app dashboard, add the Facebook Login product if it is not already enabled.
- Open Facebook Login > Settings. If the dashboard uses the newer Use cases navigation, open the authentication/login use case and continue to its Facebook Login settings.
-
In Client OAuth settings, keep web OAuth enabled and add this value under
Valid OAuth Redirect URIs:
- Save changes.
- Open Settings > Basic and copy the App ID and App Secret.
-
Set these values in
examples/fullstack-app/.env:
AUTH_FACEBOOK_REDIRECT_URI byte-for-byte.
Apple Sign In Setup
Use Apple Developer Certificates, Identifiers & Profiles for the Apple provider. Apple web login requires a Services ID associated with an app that has Sign in with Apple enabled.- Ensure a primary App ID exists for the app or organization and that Sign in with Apple is enabled for it.
- Create or select a Services ID. This Services ID is the OAuth client ID used by the auth stack.
- Configure Sign in with Apple for that Services ID.
- Select the primary App ID that is related to the website.
-
Under website URLs, add the HTTPS domain and the return URL:
- Create a Sign in with Apple private key, or use an existing one. Record the Team ID, Key ID, and downloaded private key contents.
-
Set these values in
examples/fullstack-app/.env:
AUTH_APPLE_TEAM_ID, AUTH_APPLE_KEY_ID, and
AUTH_APPLE_PRIVATE_KEY, you may pre-generate the Apple client-secret JWT and
set AUTH_APPLE_GENERATED_CLIENT_SECRET. The generated-secret path is useful
when private keys are managed outside the Spin deployment system.
Hook Credentials Into Spin
For local operator smoke, put provider values inexamples/fullstack-app/.env.
For deployed Spin environments, pass the same values as Spin variables or
runtime secrets that map to the variables in spin.production.toml.example.
Minimum shared values:
Live Smoke
Run one provider at a time first. This keeps callback and credential failures easy to isolate.OAUTH_PROVIDERS after the first provider passes.
/api/auth/capabilities, rejects the development callback
bypass URL, validates the external HTTPS authorization endpoint, verifies
response_type, client_id, redirect_uri, scope, state, and nonce,
and checks OAuth state storage evidence when AUTH_SYSTEM_ACCESS_TOKEN is set. It does
not replace the browser callback test because provider credentials and user
login are still external dependencies.
You can print a redacted event-count report after preflight. This does not
print provider secrets, tokens, session IDs, or profile payloads.
GET /api/auth/capabilitiesincludes the enabled provider./loginshows only credentialed, enabled OAuth providers.- Clicking the provider redirects to the provider authorization URL.
- Completing provider login returns to
/dashboard. /api/auth/sessionreports an authenticated session.GET /api/auth/storage/statuswith an AAL2 system-administrator bearer token shows:auth_oauth_state_created,auth_oauth_state_consumed,auth_external_identity_linked, andauth_session_issued.- Reusing the same callback URL fails because OAuth state is single-use.
wasi_auth_dev_session cookie, then checks
the session and storage evidence automatically. It also replays the exact
callback URL in JSON mode and expects a conflict response, proving OAuth state
is single-use.
wasi_auth_dev_session cookie
from the browser and run the callback evidence check. SESSION_COOKIE may be a
bare session ID, wasi_auth_dev_session=<id>, or a full Cookie: header value.
EXPECTED_EMAIL is optional but should be set when the provider account is
known. This manual path is useful when the interactive browser smoke cannot run
on the operator machine.
/api/auth/session, confirms /dashboard
is reachable with the issued session cookie, and checks storage status for
OAuth state creation, state consumption, external identity linking, session
issuance, and auth projection progress.
After callback smoke, run the same evidence report in callback mode to confirm
the final event counts and projection checkpoint.
operator_pending until this live
smoke passes for Google, Facebook, and Apple against real provider apps. Do
not mark A11 done without the preflight, browser, callback, and evidence
commands above.
Failure Checks
- Provider missing from
/api/auth/capabilities: checkAUTH_ENABLE_OAUTH,AUTH_<PROVIDER>_ENABLED, and provider credentials. - Provider returns redirect mismatch: compare the provider console callback URL
with
AUTH_<PROVIDER>_REDIRECT_URI. - Apple token exchange fails: verify the Services ID, Team ID, Key ID, private key, and client-secret TTL.
- User lands on an auth error page: inspect
/api/auth/storage/statusand the Spin component logs before retrying.