---
url: /en/paas/oauth-config.md
---
## Overview

Through OAuth 2.0, the Cloud Native Build Platform can integrate with user authentication systems to enable Single Sign-On (SSO), allowing users to access the platform with existing credentials without repeated registration, while ensuring data consistency and security.

## Authorization Code Grant Type

The `Cloud Native Build` supports the OAuth Authorization Code Grant Type, which is used by web applications and native applications to obtain access tokens after user authorization.

## Workflow

```mermaid
  sequenceDiagram
    participant User
    participant Cloud Native Build
    participant Authorization Service
    participant Resource Service
    User->>Cloud Native Build: 1.access
    Cloud Native Build->>Authorization Service: 2.request auth
    Authorization Service->>User: 3.display consent
    User->>Authorization Service: 4.give consent
    Authorization Service->>Cloud Native Build: 5.issue auth code
    Cloud Native Build->>Authorization Service: 6.request token
    Authorization Service->>Authorization Service: 7.validate the request
    Authorization Service->>Cloud Native Build: 8.return token
    Cloud Native Build->>Resource Service: 9.call resource api with token
    Resource Service->>Cloud Native Build: 10.return data
```

The above example illustrates the interactions in the OAuth Authorization Code Grant flow.

1. The user attempts to access the application (Cloud Native Build).
2. The client application calls the authorize endpoint of the authorization server.
3. The authorization server responds with a redirect URI, and the user is redirected to the authorization page if applicable.
4. The user authenticates via their identity source (e.g., username and password) and consents.
5. The authorization server issues an authorization code (code).
6. The client application requests authentication to the token endpoint using the provided authorization code and configured authentication method.
7. The authorization server validates the authorization code (code), client ID, and client secret.
8. The authorization server returns an access token.
9. The client application requests protected resources from the resource server and submits the token received in the previous step.
10. The resource server validates the token and responds with the requested resources.

## Configuration

Go to the Admin Management Platform to create login configurations for third-party services.

The login configuration requires the following parameters:

| Parameter Name          | Type     | Required | Description                                                                 |
|:----------------------: |:-------: |:-------: |:--------------------------------------------------------------------------: |
| Client ID               | String   |   Y      | Client ID, used with the secret to authenticate the application service identity to the authorization server |
| Client Secret           | String   |   Y      | Client secret, used with the ID to authenticate the application service identity to the authorization server |
| Scope                   | String   |   Y      | Permission scope, defining the read/write permissions of the token provided by the authorization service |
| Authorization Method    | String   |   Y      | Currently only supports auto-detection |
| Authorization Request   | String   |   Y      | Service address for the application to request OAuth authorization |
| Token Request           | String   |   Y      | Service address for the application to obtain tokens |
| User Info Request       | String   |   Y      | Resource service address for the application to request user resources after obtaining the token |
| Synchronous Logout URL  | String   |   N      | URL for the application to request synchronous logout of OAuth users after the user logs out |
| User ID Mapping Attribute | String | N | Map the specified attribute of the user resource to the openid field in the Cloud Native Build user table |
| User Account Mapping Attribute | String | N | Map the specified attribute of the user resource to the name field in the Cloud Native Build user table |
| User Name Mapping Attribute | String | N | Map the specified attribute of the user resource to the nick field in the Cloud Native Build user table |
| User Email Mapping Attribute | String | N | Map the specified attribute of the user resource to the email field in the Cloud Native Build user table |
| User Avatar Mapping Attribute | String | N | Map the specified attribute of the user resource to the avatar field in the Cloud Native Build user table |
| Prompt Message Mapping Attribute | String | N | Map the specified attribute of the user resource to the msg field in the Cloud Native Build user table |
| Synchronization Permission Settings | String | N | Whether to allow importing users to modify name/account/email fields |