SSO & OAuth Authentication
Configure Google OAuth, GitHub OAuth, and generic OIDC for secure production authentication.
SSO & OAuth Authentication
New in v2.3.0
By default, Potato uses a simple username-based login where annotators type any username to sign in. This is convenient for local development and small projects, but production deployments need proper authentication to prevent unauthorized access, ensure annotator identity, and comply with institutional requirements.
Potato 2.3 adds support for three authentication methods:
- Google OAuth -- sign in with Google accounts, with optional domain restriction
- GitHub OAuth -- sign in with GitHub accounts, with optional organization restriction
- Generic OIDC -- connect to any OpenID Connect provider (Okta, Azure AD, Auth0, Keycloak, etc.)
All methods can be combined with Potato's existing username login for a mixed-mode setup.
Google OAuth
Prerequisites
- Create a project in the Google Cloud Console
- Enable the "Google Identity" API
- Create OAuth 2.0 credentials (Web application type)
- Add your Potato server URL to "Authorized redirect URIs":
https://your-server.com/auth/google/callback
Configuration
authentication:
method: google_oauth
google_oauth:
client_id: ${GOOGLE_CLIENT_ID}
client_secret: ${GOOGLE_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/google/callback"
# Optional: restrict to specific domain(s)
allowed_domains:
- "umich.edu"
- "research-lab.org"
# Optional: auto-register new users on first login
auto_register: true
# Optional: map Google profile fields to Potato user fields
field_mapping:
username: email # use email as Potato username
display_name: name # show Google display nameDomain Restriction
When allowed_domains is set, only users with email addresses from those domains can sign in. Others see an error message:
authentication:
method: google_oauth
google_oauth:
client_id: ${GOOGLE_CLIENT_ID}
client_secret: ${GOOGLE_CLIENT_SECRET}
allowed_domains:
- "umich.edu"
domain_error_message: "This annotation task is restricted to University of Michigan accounts."GitHub OAuth
Prerequisites
- Go to GitHub Settings > Developer settings > OAuth Apps > New OAuth App
- Set "Authorization callback URL" to
https://your-server.com/auth/github/callback - Note your Client ID and generate a Client Secret
Configuration
authentication:
method: github_oauth
github_oauth:
client_id: ${GITHUB_CLIENT_ID}
client_secret: ${GITHUB_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/github/callback"
# Optional: restrict to members of specific GitHub organizations
allowed_organizations:
- "my-research-lab"
- "university-nlp-group"
# Optional: restrict to specific teams within an organization
allowed_teams:
- "my-research-lab/annotators"
# Scopes to request
scopes:
- "read:user"
- "read:org" # needed for organization restriction
auto_register: true
field_mapping:
username: login # GitHub username
display_name: nameOrganization Restriction
GitHub OAuth can restrict access to members of specific organizations. This requires the read:org scope:
authentication:
method: github_oauth
github_oauth:
client_id: ${GITHUB_CLIENT_ID}
client_secret: ${GITHUB_CLIENT_SECRET}
allowed_organizations:
- "my-research-lab"
scopes:
- "read:user"
- "read:org"
org_error_message: "You must be a member of the my-research-lab GitHub organization."Generic OIDC
For enterprise SSO providers (Okta, Azure AD, Auth0, Keycloak, etc.), use the generic OpenID Connect integration.
Configuration
authentication:
method: oidc
oidc:
# Discovery URL (provider's .well-known endpoint)
discovery_url: "https://accounts.example.com/.well-known/openid-configuration"
# Or specify endpoints manually
# authorization_endpoint: "https://accounts.example.com/authorize"
# token_endpoint: "https://accounts.example.com/token"
# userinfo_endpoint: "https://accounts.example.com/userinfo"
# jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
client_id: ${OIDC_CLIENT_ID}
client_secret: ${OIDC_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/oidc/callback"
scopes:
- "openid"
- "profile"
- "email"
auto_register: true
field_mapping:
username: preferred_username
display_name: name
email: emailAzure AD Example
authentication:
method: oidc
oidc:
discovery_url: "https://login.microsoftonline.com/${AZURE_TENANT_ID}/v2.0/.well-known/openid-configuration"
client_id: ${AZURE_CLIENT_ID}
client_secret: ${AZURE_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/oidc/callback"
scopes:
- "openid"
- "profile"
- "email"
auto_register: true
field_mapping:
username: preferred_username
display_name: nameOkta Example
authentication:
method: oidc
oidc:
discovery_url: "https://your-org.okta.com/.well-known/openid-configuration"
client_id: ${OKTA_CLIENT_ID}
client_secret: ${OKTA_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/oidc/callback"
scopes:
- "openid"
- "profile"
- "email"
- "groups" # request group membership
auto_register: true
# Restrict to specific groups
allowed_groups:
- "annotation-team"
field_mapping:
username: preferred_username
display_name: name
groups: groupsKeycloak Example
authentication:
method: oidc
oidc:
discovery_url: "https://keycloak.example.com/realms/annotation/.well-known/openid-configuration"
client_id: ${KEYCLOAK_CLIENT_ID}
client_secret: ${KEYCLOAK_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/oidc/callback"
scopes:
- "openid"
- "profile"
- "email"
auto_register: true
field_mapping:
username: preferred_username
display_name: nameDomain Restriction
All OAuth methods support domain restriction based on email addresses. This is useful when you want to allow any account from a specific institution:
authentication:
method: google_oauth # or github_oauth, oidc
domain_restriction:
enabled: true
allowed_domains:
- "umich.edu"
- "stanford.edu"
error_message: "Access is restricted to university accounts."For OIDC providers that include an email claim, domain restriction works automatically. For providers that do not include email, you may need to request the email scope explicitly.
Auto-Registration
By default, users must be pre-registered in Potato before they can annotate. With auto_register: true, any user who successfully authenticates is automatically created in Potato on their first login.
authentication:
auto_register: true
auto_register_role: annotator # annotator or adminTo pre-approve specific users while blocking others:
authentication:
auto_register: false
allowed_users:
- "researcher@umich.edu"
- "student1@umich.edu"
- "student2@umich.edu"
user_not_found_message: "Your account has not been approved. Contact the project administrator."Mixed Mode
You can enable multiple authentication methods simultaneously. The login page shows buttons for each enabled method plus an optional username field.
authentication:
methods:
- google_oauth
- github_oauth
- username # keep simple username login as fallback
google_oauth:
client_id: ${GOOGLE_CLIENT_ID}
client_secret: ${GOOGLE_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/google/callback"
github_oauth:
client_id: ${GITHUB_CLIENT_ID}
client_secret: ${GITHUB_CLIENT_SECRET}
redirect_uri: "https://your-server.com/auth/github/callback"
# Username login settings
username:
enabled: true
require_password: true # require a password for username login
password_file: "auth/passwords.yaml"Mixed mode is useful during migration: enable OAuth alongside username login, then disable username login once all annotators have linked their OAuth accounts.
Session Management
Configure session behavior for authenticated users:
authentication:
session:
lifetime_hours: 24 # session duration
refresh: true # refresh session on activity
cookie_secure: true # require HTTPS for cookies
cookie_samesite: "Lax" # SameSite cookie attributeAdmin Authentication
Admin accounts can use the same OAuth flow or a separate authentication method:
authentication:
method: google_oauth
google_oauth:
client_id: ${GOOGLE_CLIENT_ID}
client_secret: ${GOOGLE_CLIENT_SECRET}
admin:
# Admins must match these emails
admin_emails:
- "pi@umich.edu"
- "lead-ra@umich.edu"
# Or use a separate API key for admin access
api_key: ${ADMIN_API_KEY}HTTPS Requirements
OAuth providers require HTTPS for redirect URIs in production. For local development, you can use HTTP with localhost:
# Development (HTTP allowed)
authentication:
google_oauth:
redirect_uri: "http://localhost:8000/auth/google/callback"
# Production (HTTPS required)
authentication:
google_oauth:
redirect_uri: "https://annotation.example.com/auth/google/callback"For production deployments behind a reverse proxy (nginx, Caddy), ensure the proxy forwards the correct X-Forwarded-Proto header:
# nginx example
location / {
proxy_pass http://localhost:8000;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}Full Example
Complete production authentication setup with Google OAuth, domain restriction, and admin API key:
task_name: "Annotation Project"
task_dir: "."
authentication:
method: google_oauth
google_oauth:
client_id: ${GOOGLE_CLIENT_ID}
client_secret: ${GOOGLE_CLIENT_SECRET}
redirect_uri: "https://annotation.umich.edu/auth/google/callback"
allowed_domains:
- "umich.edu"
auto_register: true
field_mapping:
username: email
display_name: name
session:
lifetime_hours: 48
cookie_secure: true
admin:
admin_emails:
- "pi@umich.edu"
api_key: ${ADMIN_API_KEY}
data_files:
- "data/instances.jsonl"
annotation_schemes:
- annotation_type: radio
name: sentiment
labels: [Positive, Neutral, Negative]
output_annotation_dir: "output/"
output_annotation_format: "jsonl"Further Reading
- Passwordless Login -- email-based magic link authentication
- MTurk Integration -- crowdsourcing platform authentication
- Admin Dashboard -- managing users and permissions
- Quality Control -- ensuring annotator quality with authenticated users
For implementation details, see the source documentation.