kurrier

OpenID Connect (OIDC)

Authentication using penID Connect (OIDC) providers.

πŸ” OpenID Connect (OIDC) Login

Kurrier supports authentication using OpenID Connect (OIDC) providers.

Currently, Google login is available out of the box, but the architecture is provider-agnostic and additional providers such as GitHub, Microsoft, Auth0, Okta, Keycloak, Zitadel, and others can be added easily.

✨ Currently Supported

  • Google OIDC Login

Additional providers can be implemented by adding another OIDC route and provider configuration.

🧠 How It Works

Kurrier uses the standard:

  • OAuth 2.0 Authorization Code Flow
  • PKCE (Proof Key for Code Exchange)
  • OpenID Connect identity claims

The authentication flow is:

  1. User clicks β€œContinue with Google”
  2. Kurrier redirects the user to Google
  3. Google authenticates the user
  4. Google redirects back to Kurrier callback route
  5. Kurrier verifies the response
  6. User account + workspace are created automatically if they do not exist
  7. Session cookie is issued
  8. User is redirected into the workspace dashboard

πŸ“¦ Environment Variables

Add the following to your .env:

env
OIDC_GOOGLE_CLIENT_ID=your_google_client_id
OIDC_GOOGLE_CLIENT_SECRET=your_google_client_secret

πŸ›  Creating Google OAuth Credentials

  1. Open Google Cloud Console
  2. Navigate to:
  • APIs & Services β†’ Credentials
  1. Click:
  • Create Credentials β†’ OAuth Client ID
  1. Choose:
  • Web Application

Authorized Redirect URI

Add:

http://localhost:3000/api/auth/oidc/google/callback

For production:

https://your-domain.com/api/auth/oidc/google/callback

πŸ“ Route Structure

Google OIDC flow is implemented using App Router route handlers.

app/
└── api/
    └── auth/
        └── oidc/
            └── google/
                β”œβ”€β”€ route.ts
                └── callback/
                    └── route.ts

πŸš€ Start Route

The start route:

/api/auth/oidc/google

Responsibilities:

  • Discover Google OIDC configuration
  • Generate PKCE verifier/challenge
  • Generate state token
  • Store temporary cookies
  • Redirect user to Google authorization endpoint

↩ Callback Route

The callback route:

/api/auth/oidc/google/callback

Responsibilities:

  • Validate PKCE verifier
  • Validate state
  • Exchange authorization code for tokens
  • Read user claims
  • Create or locate user
  • Create auth provider/account records
  • Create session cookie
  • Redirect into workspace

πŸ—„ Database Records

Successful OIDC login creates:

users

Primary application user.

workspaces

Default workspace for the user.

workspace_members

Workspace ownership membership.

auth_providers

OIDC provider metadata for the workspace.

auth_accounts

Provider-linked external identity record.

πŸ”’ Security Notes

Kurrier uses:

  • PKCE
  • State validation
  • HttpOnly session cookies
  • Verified Google email requirement
  • Signed JWT session tokens

Sensitive provider tokens are never logged in production.

βž• Adding More Providers

Additional providers can be added by implementing another OIDC route pair.

Examples:

/api/auth/oidc/github
/api/auth/oidc/microsoft
/api/auth/oidc/keycloak

Most providers only require:

  • Discovery URL
  • Client ID
  • Client Secret
  • Redirect URI
  • Scope configuration

The rest of the flow remains identical.

πŸ“š References

Installation

How to install and run Kurrier on your own server.

Contacts (CardDAV)

How Kurrier keeps all your contacts in sync across every device

On this page

πŸ” OpenID Connect (OIDC) Login✨ Currently Supported🧠 How It WorksπŸ“¦ Environment VariablesπŸ›  Creating Google OAuth CredentialsAuthorized Redirect URIπŸ“ Route StructureπŸš€ Start Route↩ Callback RouteπŸ—„ Database Recordsusersworkspacesworkspace_membersauth_providersauth_accountsπŸ”’ Security Notesβž• Adding More ProvidersπŸ“š References