Social Login
Let users sign in with their existing accounts from popular identity providers like Google, GitHub, Microsoft, and more. Social login reduces registration friction and improves conversion rates.
Supported Providers
| Provider | Protocol | Features |
|---|---|---|
| OAuth 2.0 / OIDC | Email, profile, avatar | |
| GitHub | OAuth 2.0 | Email, profile, organization membership |
| Microsoft | OAuth 2.0 / OIDC | Email, profile, Azure AD integration |
| OAuth 2.0 | Email, profile, friends list | |
| Apple | OAuth 2.0 / OIDC | Email (private relay), name |
| OAuth 2.0 | Email, profile, professional info | |
| Custom OIDC | OpenID Connect | Any OIDC-compliant provider |
How It Works
- User clicks a social login button on your login page
- Redirect to provider - LumoAuth redirects to the provider's authorization page
- User authenticates - Signs in with their existing provider account
- Provider callback - Provider redirects back to LumoAuth with an authorization code
- Account linking - LumoAuth creates or links a local user account
- Token issuance - LumoAuth issues its own OAuth tokens to your application
Account Linking Behavior
When a user authenticates via social login:
- New user: A LumoAuth user account is automatically created (JIT provisioning)
- Existing user (same email): The social account is linked to the existing user
- Multiple social accounts: A user can link multiple social providers to one account
Configuration
Tenant-Level Social Login
Configure social login providers per tenant at:
/t/{tenantSlug}/portal/configuration/social-login
For each provider, you'll need:
- Client ID - From the provider's developer console
- Client Secret - From the provider's developer console
- Scopes - What data to request (email, profile, etc.)
Per-Application Social Login
You can also configure social login on a per-application basis at:
/t/{tenantSlug}/portal/applications/{clientId}/social-login
This allows different OAuth clients within the same tenant to show different social login buttons.
Setting Up Google Login
1. Create Google OAuth Credentials
- Go to the Google Cloud Console
- Create a new project or select an existing one
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Select Web application
- Add authorized redirect URI:
https://your-domain.com/t/{tenantSlug}/auth/social/google/callback
- Copy the Client ID and Client Secret
2. Configure in LumoAuth
- Go to
/t/{tenantSlug}/portal/configuration/social-login - Click Add Provider → Google
- Enter the Client ID and Client Secret
- Save and Enable
Setting Up GitHub Login
1. Create GitHub OAuth App
- Go to GitHub Developer Settings
- Click New OAuth App
- Set the authorization callback URL:
https://your-domain.com/t/{tenantSlug}/auth/social/github/callback
- Copy the Client ID and Client Secret
2. Configure in LumoAuth
- Go to
/t/{tenantSlug}/portal/configuration/social-login - Click Add Provider → GitHub
- Enter credentials and save
Setting Up Microsoft Login
1. Register in Azure AD
- Go to the Azure Portal → App registrations
- Click New registration
- Add redirect URI:
https://your-domain.com/t/{tenantSlug}/auth/social/microsoft/callback
- Under Certificates & secrets, create a new client secret
- Note the Application (client) ID and Client Secret
2. Configure in LumoAuth
- Go to
/t/{tenantSlug}/portal/configuration/social-login - Click Add Provider → Microsoft
- Enter credentials and save
Social Login URLs
Each social provider has tenant-specific authentication URLs:
Initiate: /t/{tenantSlug}/auth/social/{provider}
Callback: /t/{tenantSlug}/auth/social/{provider}/callback
Where {provider} is: google, github, microsoft, facebook, apple, linkedin
User Experience
When social login is enabled, the login page displays:
- Social login buttons - One button per enabled provider
- Email/password form - Standard credential login (if enabled)
- Separator - Visual "or" divider between social and credential login
Users who sign up via social login can later:
- Set a password (for email/password login as well)
- Link additional social accounts
- Remove linked social accounts (from the account settings page)
Account Settings
Users can manage their linked social accounts at the account settings page:
/account/security
From here they can:
- View all linked social accounts
- Link new social providers
- Unlink social providers (if they have another login method)
Just-In-Time (JIT) Provisioning
When a user authenticates via social login for the first time, LumoAuth automatically:
- Creates a new user account in the tenant
- Populates the user profile with data from the social provider
- Links the social account to the new user
- Optionally assigns default roles (configurable per tenant)
If a user with the same email already exists, the social account is linked to the existing user instead of creating a duplicate.
Security Considerations
- State parameter - LumoAuth uses the OAuth
stateparameter to prevent CSRF attacks - PKCE - When supported by the provider, PKCE is used for additional security
- Token storage - Social provider tokens are encrypted in the database
- Scope minimization - Only request the minimum scopes needed
Related Guides
- Authentication Overview - All authentication methods
- Enterprise SSO - SAML and OIDC for corporate IdPs
- Multi-Factor Authentication - Add MFA on top of social login