OAuth2 Authentication
The web client can work with moor-web-host to authenticate players using OAuth2 providers such as Discord, GitHub, or Google. Which providers are available depends on the web-host configuration for your deployment. OAuth2 flows run through the web-host API and complete back in the web client.
How It Works
-
Login Screen: The login screen shows OAuth2 provider buttons (Discord, GitHub, Google) when enabled on the web host.
-
Authorization: Clicking a provider button redirects the browser to that provider's authorization page.
-
Callback: After authorization, the provider redirects back to the web client with an authorization code.
-
Token Exchange: The web client sends the code to
moor-web-host, which exchanges it for user info. -
Account Choice: The player can either:
- Create a new character linked to their OAuth2 identity
- Link to an existing character (requires existing credentials)
-
Session: The resulting session uses PASETO authentication tokens, identical to username/password login.
Supported Providers
| Provider | Icon | Configuration Required |
|---|---|---|
| Discord | Discord logo | OAuth2 app in Discord Developer Portal |
| GitHub | GitHub logo | OAuth app in GitHub Settings |
| Google logo | OAuth2 credentials in Google Cloud Console |
Providers only appear on the login screen if configured in moor-web-host.
Account Creation with OAuth2
When creating a new account via OAuth2, the wizard guides the player through:
- Credentials: Choose a character name (username is pre-filled from OAuth2 profile)
- Privacy Policy: Accept site privacy policy (if configured)
- Encryption Info: Learn about event log encryption (if enabled)
- Encryption Password: Set an encryption password for event log encryption
Encryption Password
If event logging is enabled, players must create an encryption password. This password is separate from the OAuth2 identity and is used to encrypt the player's event log history.
Linking to Existing Account
Players with an existing username/password account can link their OAuth2 identity:
- Click the OAuth2 provider button
- After OAuth2 authorization, choose "Link to existing account"
- Enter existing username and password
- The OAuth2 identity is now linked—future logins can use either method
Notes for Operators
Web-Host Configuration
OAuth2 providers are configured in moor-web-host configuration, not the web client. Each provider requires:
- Client ID from the OAuth2 provider
- Client Secret (kept server-side only)
- Redirect URI matching your deployment URL
Example web-host configuration:
oauth2:
discord:
client_id: "your-discord-client-id"
client_secret: "your-discord-client-secret"
github:
client_id: "your-github-client-id"
client_secret: "your-github-client-secret"
Provider Setup
Each provider has its own developer console for creating OAuth2 applications:
| Provider | Developer Console | Redirect URI Path |
|---|---|---|
| Discord | discord.com/developers | /auth/oauth2/discord/callback |
| GitHub | github.com/settings/developers | /auth/oauth2/github/callback |
| console.cloud.google.com | /auth/oauth2/google/callback |
Security Considerations
- OAuth2 secrets are never exposed to the web client
- The web-host validates all OAuth2 callbacks server-side
- PASETO tokens are used for session management after OAuth2 authentication
- Event log encryption remains independent of OAuth2 provider
Troubleshooting
Provider Button Not Showing
- Verify the provider is configured in web-host
- Check web-host logs for configuration errors
- Ensure the web-host is reachable
Callback Errors
- Verify redirect URI matches exactly (including trailing slashes)
- Check that client ID and secret are correct
- Review provider's OAuth2 error messages
Linking Fails
- Ensure the existing account credentials are correct
- The account may already be linked to a different OAuth2 identity
- Check web-host logs for detailed error information