You cannot connect a user’s accounts with shared OAuth keys. You need to set up your own OAuth client ID and client secret in Stack’s dashboard. For more details, check Going to Production.
Connecting with OAuth providers
You can access a user’s connected account with theuser.getConnectedAccount(providerId) function or user.useConnectedAccount(providerId) hook.
Often, you’ll want to redirect the user to the OAuth provider’s authorization page if they have not connected the account yet. Just like the getUser(...) function, getConnectedAccount(...) can also take an { or: "redirect" } argument to achieve this.
Here’s how to connect with Google:
Providing scopes
Most providers have access control in the form of OAuth scopes. These are the permissions that the user will see on the authorization screen (eg. “Your App wants access to your calendar”). For instance, to read Google Drive content, you need thehttps://www.googleapis.com/auth/drive.readonly scope:
Retrieving the access token
Once connected with an OAuth provider, obtain the access token with theaccount.getAccessToken() function. Check your provider’s API documentation to understand how you can use this token to authorize the user in requests.
Sign-in default scopes
To avoid showing the authorization page twice, you can already request scopes during the sign-in flow. This approach is optional. Some applications may prefer to request extra permissions only when needed, while others might want to obtain all necessary permissions upfront. To do this, edit theoauthScopesOnSignIn setting of your hexclaveServerApp:
stack/server.ts
OAuth account merging strategies
When a user attempts to sign in with an OAuth provider that matches an existing account, Stack provides different strategies for handling the authentication flow. The available strategies are:- Allow duplicates (legacy default)
- Link method (new default)
- Block duplicates (most secure)