FerriskeyConfiguring Providers
This guide walks through setting up specific identity providers with Abyss. Each provider requires creating an OAuth2/OIDC application on the external platform and registering it in FerrisKey.
Create a Google OAuth2 app
Go to the Google Cloud Console, create an OAuth 2.0 Client ID with:
- Application type: Web application
- Authorized redirect URI:
https://your-ferriskey.com/realms/{realm}/broker/google/callback
Register in FerrisKey
In the FerrisKey admin console, navigate to Identity Providers → Add Provider and configure:
| Field | Value |
|---|---|
| Name | |
| Type | oauth2 |
| Client ID | From Google Console |
| Client Secret | From Google Console |
| Authorization URL | https://accounts.google.com/o/oauth2/v2/auth |
| Token URL | https://oauth2.googleapis.com/token |
| UserInfo URL | https://openidconnect.googleapis.com/v1/userinfo |
| Scopes | openid, email, profile |
GitHub
Create a GitHub OAuth App
Go to GitHub → Settings → Developer settings → OAuth Apps → New OAuth App:
- Authorization callback URL:
https://your-ferriskey.com/realms/{realm}/broker/github/callback
Register in FerrisKey
| Field | Value |
|---|---|
| Name | GitHub |
| Type | oauth2 |
| Client ID | From GitHub |
| Client Secret | From GitHub |
| Authorization URL | https://github.com/login/oauth/authorize |
| Token URL | https://github.com/login/oauth/access_token |
| UserInfo URL | https://api.github.com/user |
| Scopes | read:user, user:email |
Discord
Create a Discord Application
Go to the Discord Developer Portal, create an application, and add an OAuth2 redirect:
- Redirect URL:
https://your-ferriskey.com/realms/{realm}/broker/discord/callback
Register in FerrisKey
| Field | Value |
|---|---|
| Name | Discord |
| Type | oauth2 |
| Client ID | From Discord |
| Client Secret | From Discord |
| Authorization URL | https://discord.com/api/oauth2/authorize |
| Token URL | https://discord.com/api/oauth2/token |
| UserInfo URL | https://discord.com/api/users/@me |
| Scopes | identify, email |
Custom OIDC Provider
For any OpenID Connect compliant provider (Okta, Auth0, Azure AD, Keycloak):
| Field | How to Find It |
|---|---|
| Authorization URL | Provider’s .well-known/openid-configuration → authorization_endpoint |
| Token URL | → token_endpoint |
| UserInfo URL | → userinfo_endpoint |
| Scopes | Typically openid email profile |
OIDC Discovery
Most OIDC providers publish their configuration at https://provider.com/.well-known/openid-configuration. Use this to find all the endpoint URLs you need.
Provider Management
Disabling a Provider
Toggle enabled to false to hide the provider from the login page without deleting its configuration. Existing federated credentials remain — users can still log in through other methods.
Updating Credentials
When you rotate the client secret on the external provider, update it in FerrisKey immediately. A mismatched secret will cause all federated logins through that provider to fail.
Provider-Specific Configuration
The configuration field accepts arbitrary JSON for provider-specific settings. For example, Azure AD may need a tenant_id:
{
"tenant_id": "your-azure-tenant-id"
}