Member Guide Org Admin Guide Site Admin Guide

OAuth Providers

Set up social login options so members can sign in with their existing Google, GitHub, or Apple accounts.

OAuth integration allows your members to sign in to fellos using their existing accounts from popular identity providers. Instead of creating and remembering a separate password for your fellos site, members can click "Sign in with Google" (or GitHub, or Apple) and authenticate using an account they already have.

OAuth is entirely optional. Email/password login always works regardless of whether OAuth is configured. OAuth simply provides additional sign-in convenience for your members.

OAuth Providers Configure social login for your members G Google Sign in with Google accounts Client ID 1234567890-abc...apps.googleusercontent.com Client Secret ••••••••••••••••••• GH GitHub Sign in with GitHub accounts Client ID Not configured Client Secret Not configured Apple Sign in with Apple ID Client ID Not configured Client Secret Not configured
The OAuth Providers page — each provider has a card with Client ID and Client Secret fields and an enable/disable toggle. Google is configured and enabled; GitHub and Apple are not yet set up.

Supported Providers

fellos supports three OAuth identity providers:

Google

The most widely used option. Most members already have a Google account, making this the easiest OAuth provider to offer. Google OAuth uses the Google Cloud Console for credential management.

GitHub

Useful for technically-oriented organizations where members likely have GitHub accounts. GitHub OAuth is configured through GitHub's Developer Settings.

Apple

Apple Sign In provides privacy-focused authentication. Members can choose to hide their email address when signing in with Apple. Configuration requires an Apple Developer account.

Configuring a Provider

Each provider requires two pieces of information: a Client ID and a Client Secret. These are obtained from the provider's developer console. The general process is the same for each provider:

  1. Go to the provider's developer console (Google Cloud Console, GitHub Developer Settings, or Apple Developer portal).
  2. Create a new OAuth application or credentials.
  3. Set the redirect URI to your fellos site's OAuth callback URL. This is typically https://yoursite.com/auth/callback/[provider] — fellos shows you the exact URL to use on the configuration page.
  4. Copy the Client ID and Client Secret from the provider's console.
  5. Paste them into the corresponding fields on the fellos OAuth Providers page.
  6. Toggle the provider on (green).
  7. Click Save Changes.

Setting Up Google OAuth

  1. Go to the Google Cloud Console (console.cloud.google.com).
  2. Create a new project or select an existing one.
  3. Navigate to APIs & Services > Credentials.
  4. Click Create Credentials > OAuth client ID.
  5. Select Web application as the application type.
  6. Add your fellos site's OAuth callback URL to the Authorized redirect URIs.
  7. Copy the generated Client ID and Client Secret into fellos.
Tip

If your Google Cloud project is new, you may need to configure the OAuth consent screen first. Set it to "External" (unless you have a Google Workspace domain), add your organization's name and email, and submit for verification if you expect more than 100 users.

Setting Up GitHub OAuth

  1. Go to GitHub > Settings > Developer settings > OAuth Apps.
  2. Click New OAuth App.
  3. Enter your fellos site URL as the Homepage URL.
  4. Enter the OAuth callback URL as the Authorization callback URL.
  5. Click Register application.
  6. Copy the Client ID. Click Generate a new client secret and copy it.
  7. Paste both values into fellos.

Setting Up Apple Sign In

Apple Sign In requires an Apple Developer account ($99/year). The setup is more involved than Google or GitHub:

  1. Go to the Apple Developer portal (developer.apple.com).
  2. Navigate to Certificates, Identifiers & Profiles.
  3. Register a new App ID with the "Sign In with Apple" capability enabled.
  4. Create a Service ID linked to your App ID, and configure the web authentication settings with your fellos site domain and callback URL.
  5. Create a Key for Sign In with Apple and download it.
  6. Use the Service ID as your Client ID and generate a Client Secret using the key file (fellos provides instructions for this step).
Good to know

Apple Sign In gives users the option to hide their real email address by using Apple's private relay email. When a member signs in this way, fellos receives a unique relay address instead of their real email. The member's actual email is still delivered through Apple's relay, but you won't see it directly in their profile.

How OAuth Login Works for Members

Once you've configured and enabled one or more providers, the sign-in page automatically shows the corresponding login buttons. For example, if Google is enabled, members will see a "Sign in with Google" button alongside the standard email/password form.

  • A member clicks the OAuth button and is redirected to the provider's login page.
  • After authenticating with the provider, they're redirected back to fellos.
  • If their provider email matches an existing fellos account, they're logged in automatically.
  • If no matching account exists, the login fails — OAuth doesn't create new accounts automatically. The member must first be onboarded through the normal onboarding workflow using the same email address they use with the OAuth provider.

Security Considerations

  • Client Secrets are sensitive — Treat your OAuth client secrets like passwords. Don't share them or commit them to public repositories.
  • HTTPS required — OAuth providers require your fellos site to use HTTPS. If your site isn't on HTTPS, OAuth won't work.
  • Email matching — OAuth login matches by email address. If a member's provider email doesn't match their fellos account email, the login won't work. They'll need to update their fellos email or use password login instead.
  • OAuth is additive — Enabling OAuth doesn't disable password login. Members always have the option to sign in with email and password, even if OAuth is available.