2024-04-01 10:02:22 +00:00
# Single Sign-On
Apart from the default authentication mechanism with email and password, users can also log in to Koel Plus via Single Sign-On (SSO).
2024-04-01 10:12:42 +00:00
As of current, the only supported SSO provider is Google, with more to come in the future.
2024-04-01 10:02:22 +00:00
## Google
To enable SSO with Google, you need to create a new OAuth client ID in the [Google Cloud Console ](https://console.cloud.google.com/apis/credentials ).
Pick "Web application" as the application type, and set the "Authorized redirect URIs" to `https://<your-koel-domain>/auth/google/callback` ,
replacing `<your-koel-domain>` with your actual Koel domain.
< CaptionedImage :src = "googleOauth" alt = "Google OAuth" > Create a new Google OAuth client ID< / CaptionedImage >
Afterward, take note of the client ID and client secret values. You can then add them to your `.env` file:
```
SSO_GOOGLE_CLIENT_ID=< your-client-id >
SSO_GOOGLE_CLIENT_SECRET=< your-client-secret >
```
Finally, set the Google-hosted domain that you want to restrict logins. For example, if you only accept users from `your-koel.com` :
```
SSO_GOOGLE_HOSTED_DOMAIN=your-koel.com
```
Save the `.env` file and reload Koel. You should now see a "Log in with Google" button on the login page:
< img src = "../assets/img/plus/login-form-google.webp" loading = "lazy" style = "max-width: 324px" alt = "Google login button" >
Clicking on the Google button will open a new window where you can log in with your Google account (make sure to allow pop-ups if you have a pop-up blocker enabled).
## User Management
When a user logs in via SSO for the first time, a new user account will be created in Koel with the email address, name, avatar, and the SSO ID obtained from the SSO provider.
2024-04-01 10:12:42 +00:00
If, however, there's already an existing user with the same email address , Koel will merge the two accounts with a sensible merging strategy.
2024-04-01 10:02:22 +00:00
2024-04-01 10:12:42 +00:00
SSO users can update their name and avatar, but not their email address. Furthermore, a new user created via SSO does not have a password set and won't be able to log in via the email+password method.
2024-04-01 10:02:22 +00:00
< script lang = "ts" setup >
import googleOauth from '../assets/img/plus/google-oauth.webp'
< / script >