Skip to main content
Third-party Integration

OAuth 2.0 integration

This topic describes how to implement single sign-on (SSO) for Alibaba Cloud DevOps using the OAuth 2.0 authentication protocol.
Applicable editionDedicated Edition

Create out-of-scope users

Enterprise administrators can configure and manage OAuth 2.0 in Enterprise Management > Third-party Integration. If you need to create users who are not in OAuth 2.0, you can select the Support built-in users checkbox, which allows you to create users outside the synchronization scope.

Configure OAuth 2.0

Step 1: Configure the OAuth client

To configure OAuth 2.0, first create an OAuth 2.0 client in your identity provider. Then, specify whether to skip HTTPS validation and enter the following information into the form.
  • Client ID
  • Client secret
  • Authorization URL
  • Token URL
  • User info URL
In the User info configuration section, enter a value for the User information identifier field. For User information authentication method, select either Authenticate via Header or Authenticate via Params. After you complete the form, click Next.

Step 2: Configure account binding and mapping

Choose one of the following four methods to identify and bind accounts:
  • Automatically bind accounts with the same email address.
  • Automatically bind accounts with the same login name.
  • Automatically bind accounts with the same phone number.
  • Automatically bind accounts with the same employee ID.
Based on the selected binding method, Alibaba Cloud DevOps automatically binds user accounts from your OAuth 2.0 provider to existing accounts with the same attribute. Ensure the selected attribute is unique and exists for all users. Next, configure the user attribute mapping fields. Alibaba Cloud DevOps maps user information according to these settings. These settings cannot be changed after configuration, so proceed with caution. Enter the Unique Account Identifier, which is the OAuth 2.0 user attribute that uniquely identifies an account. The default User Attribute Mapping is as follows: Name is mapped to name, Login Name to user_name, Email to email, Phone to mobile, Employee ID to employId, and Nickname to nickname. After you finish the configuration, click Next.

Step 3: Enable single sign-on

By default, the single sign-on (SSO) service is disabled. After you enable it, you can configure the following SSO-related settings:
  • Configure the Alibaba Cloud DevOps callback URL in your OAuth 2.0 client settings.
  • Customize the display name and icon for the OAuth 2.0 login option that appear on the login page.
  • Choose whether to automatically create an Alibaba Cloud DevOps account for a user on their first login:
    • Disabled (default): If a user's OAuth 2.0 account does not match an existing Alibaba Cloud DevOps account, the user cannot sign in.
    • Enabled: If a user's OAuth 2.0 account does not match an existing Alibaba Cloud DevOps account, a new account is automatically created and bound to it.
You can save the configuration without enabling single sign-on and enable the service later from the OAuth 2.0 integration details page. In the single sign-on section at the bottom of the page, click Start Configuration to enable the service. After configuring all settings, click Save Configuration to complete the OAuth 2.0 integration.

Log in to Qoder CN with OAuth 2.0

After you enable single sign-on, the Alibaba Cloud DevOps login page displays an OAuth 2.0 login option. Users with bound accounts can click this option to log in.

Log out

With single log-out (SLO) enabled, logging out of Alibaba Cloud DevOps also logs the user out of the OAuth 2.0 identity provider (IdP) session.

Session duration

The session duration is determined by the settings in Qoder CN. If the session exceeds the configured duration, you are logged out of Qoder CN. To continue using Qoder CN, you must log in again.

Modify OAuth 2.0 configuration

On the OAuth 2.0 integration details page, click View/Modify Configuration to open a drawer where you can modify optional user attribute mapping fields. Other configuration settings cannot be changed.

Disable single sign-on

On the OAuth 2.0 integration details page, if single sign-on is enabled, click Modify Service Configuration. In the drawer that opens, disable single sign-on. After you disable it:
  • The account binding between Alibaba Cloud DevOps accounts and OAuth 2.0 accounts is not removed.
  • Users can no longer log in to Alibaba Cloud DevOps using their OAuth 2.0 account. They must use their Alibaba Cloud DevOps login name and password to sign in.

Remove OAuth 2.0 integration

To remove the OAuth 2.0 integration, go to the integration details page, click Remove Integration, and confirm the action. Removing the integration has the following effects:
  • The account binding between Alibaba Cloud DevOps accounts and OAuth 2.0 accounts is removed.
  • Users can no longer log in to Alibaba Cloud DevOps using OAuth 2.
  1. They must use their Alibaba Cloud DevOps login name and password to sign in.
Guides
Tutorials
  • Coding with Qoder CN
Developer Reference