docs: clarify OAuth callback setup for GitHub and Google#260
docs: clarify OAuth callback setup for GitHub and Google#260mason5052 wants to merge 2 commits intovxcontrol:mainfrom
Conversation
Signed-off-by: Mason Kim(ZINUS US_SALES) <mkim@zinus.com>
There was a problem hiding this comment.
Pull request overview
Updates the documentation to make OAuth provider-side configuration (GitHub/Google callback settings) explicit, based on how PentAGI constructs redirect URIs from PUBLIC_URL.
Changes:
- Clarifies how
PUBLIC_URLis used to construct OAuth callback URLs. - Documents provider console values (Homepage URL / Redirect URI) for GitHub and Google.
- Adds
.envconfiguration examples for both providers in docs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
backend/docs/config.md |
Expands PUBLIC_URL/OAuth configuration guidance and adds provider-side callback setup + env examples. |
README.md |
Adds explicit GitHub/Google OAuth setup steps and .env examples, emphasizing callback construction. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | ----------------------- | ---------------------------- | ------------- | ------------------------------------------------------ | | ||
| | CookieSigningSalt | `COOKIE_SIGNING_SALT` | *(none)* | Salt for signing and securing cookies used in sessions | | ||
| | PublicURL | `PUBLIC_URL` | *(none)* | Public URL for auth callbacks from OAuth providers | | ||
| | PublicURL | `PUBLIC_URL` | *(none)* | Public base URL used to build OAuth callback URLs such as `/auth/login-callback` | |
There was a problem hiding this comment.
The callback path referenced here is missing the API base path. In backend/pkg/server/router.go, the redirect URI is built with path.Join(baseURL, "/auth/login-callback") where baseURL is /api/v1, so the provider redirect URI becomes ${PUBLIC_URL}/api/v1/auth/login-callback (not ${PUBLIC_URL}/auth/login-callback). Also note the router overwrites publicURL.Path, so PUBLIC_URL should be an origin (scheme/host/port) without an additional path segment.
| In the default deployment, configure your OAuth providers with: | ||
| - **Homepage URL**: `PUBLIC_URL` | ||
| - **Authorization callback URL / Redirect URI**: `${PUBLIC_URL}/auth/login-callback` | ||
|
|
There was a problem hiding this comment.
This section instructs configuring the provider redirect URI as ${PUBLIC_URL}/auth/login-callback, but the actual route registered by the router is under the API group (/api/v1/auth/login-callback). Please update the provider configuration bullets and example to match the real redirect URI to avoid continued redirect_uri mismatch errors.
| PentAGI uses `PUBLIC_URL` as the public base URL for OAuth redirects. In the default deployment, both GitHub and Google callbacks are handled by: | ||
|
|
||
| For using Google OAuth you need to create a new OAuth application in your Google account and set the `OAUTH_GOOGLE_CLIENT_ID` and `OAUTH_GOOGLE_CLIENT_SECRET` in `.env` file. | ||
| ```text | ||
| ${PUBLIC_URL}/auth/login-callback | ||
| ``` |
There was a problem hiding this comment.
The documented callback endpoint ${PUBLIC_URL}/auth/login-callback does not match the server route. In backend/pkg/server/router.go, the callback is registered under the /api/v1 group, so the actual redirect URI is ${PUBLIC_URL}/api/v1/auth/login-callback. Please update this block accordingly so users don’t configure the wrong redirect URI.
|
|
||
| 1. Create a new OAuth App in your GitHub account. | ||
| 2. Set **Homepage URL** to your `PUBLIC_URL`. | ||
| 3. Set **Authorization callback URL** to `${PUBLIC_URL}/auth/login-callback`. |
There was a problem hiding this comment.
These GitHub OAuth setup steps use ${PUBLIC_URL}/auth/login-callback, but the backend registers the callback under /api/v1/auth/login-callback. Please update the Authorization callback URL value to ${PUBLIC_URL}/api/v1/auth/login-callback to align with the actual redirect URI sent by PentAGI.
| 3. Set **Authorization callback URL** to `${PUBLIC_URL}/auth/login-callback`. | |
| 3. Set **Authorization callback URL** to `${PUBLIC_URL}/api/v1/auth/login-callback`. |
| 1. Create OAuth credentials in your Google Cloud project. | ||
| 2. Use the same callback endpoint: `${PUBLIC_URL}/auth/login-callback`. | ||
| 3. Add the client credentials to your `.env` file: |
There was a problem hiding this comment.
Similarly for Google OAuth, the redirect URI should include the API base path. The backend callback endpoint is ${PUBLIC_URL}/api/v1/auth/login-callback, not ${PUBLIC_URL}/auth/login-callback; otherwise Google will reject the login with a redirect URI mismatch.
Summary
PUBLIC_URLis used to build OAuth callback URLs.envexamples for GitHub and Google OAuth in bothREADME.mdandbackend/docs/config.mdProblem
Issue #219 reports that the OAuth setup docs explain the client ID and secret, but do not explain what to use for the provider-side callback settings.
As a result, users can configure GitHub OAuth credentials and still hit
redirect_urimismatch errors because the requiredHomepage URLandAuthorization callback URLvalues are not documented.Solution
Document the callback construction used by PentAGI's router and make the provider configuration explicit:
Homepage URL = PUBLIC_URLAuthorization callback URL / Redirect URI = ${PUBLIC_URL}/api/v1/auth/login-callbackThis PR also adds concrete
.envexamples, clarifies thatPUBLIC_URLis the public origin/base URL, and notes that Google uses the same PentAGI callback endpoint.User Impact
Users setting up GitHub or Google OAuth no longer need to infer callback values from the codebase. The required provider configuration is documented directly where the OAuth environment variables are explained.
Closes #219.
Test Plan
PUBLIC_URL,baseURL, and/auth/login-callbackinbackend/pkg/server/router.go.env.examplebackend/docs/config.mdmatches the current router behaviorgit diff --check