Skip to content
Torii docs

Configure OAuth providers

Torii brokers the OAuth flow for you: the provider redirects back to Torii, which then completes sign-in and hands your app a session. You configure providers per environment in the dashboard under Social login (Google, GitHub) and National eID (MitID).

Sandbox: nothing to set up

Section titled “Sandbox: nothing to set up”

Sandbox environments use Torii’s shared OAuth credentials: add the provider in the dashboard and it works immediately. There is no callback URL to register and no client to create. (Sandbox MitID uses synthetic test identities, not real MitID, see the note below.)

Production: bring your own OAuth app

Section titled “Production: bring your own OAuth app”

Production requires your own OAuth application at each provider. The flow is always the same:

  1. Create an OAuth app in the provider’s console.
  2. Register Torii’s callback URL (below) as the authorized redirect URI.
  3. Paste the resulting Client ID and Client Secret into the dashboard (Social login / National eIDAdd provider).

The callback URL

Section titled “The callback URL”

The callback URL is specific to your environment: it’s served on your environment’s own Frontend API host, so it’s a URL on your domain, not a shared Torii host. The dashboard shows the exact URL to register next to each provider’s credential fields (Add providerRedirect / callback URL).

The shape is:

Your setupCallback URL to register
Custom domain example.comhttps://torii.example.com/_torii/auth/oauth2/<provider>/callback
No custom domain yethttps://<your-env-slug>.torii.so/_torii/auth/oauth2/<provider>/callback

Because the callback lives on your environment’s domain, changing your custom domain changes this URL, so update the authorized redirect URI at each provider when you do. (Sandbox uses Torii’s shared credentials, so there’s nothing to register there.)

Per-provider steps

Section titled “Per-provider steps”

Google

Section titled “Google”
  1. In the Google Cloud Console, create an OAuth client ID of type Web application.
  2. Under Authorized redirect URIs, add the Google callback URL above.
  3. Copy the Client ID and Client Secret into the dashboard.

GitHub

Section titled “GitHub”
  1. Go to Settings → Developer settings → OAuth Apps → New OAuth App (github.com/settings/developers).
  2. Set Authorization callback URL to the GitHub callback URL above.
  3. Copy the Client ID and generate a Client Secret, then paste both into the dashboard.

MitID (Signicat)

Section titled “MitID (Signicat)”

Production MitID runs through your own Signicat broker contract, so two extra values are involved:

  1. In your Signicat dashboard, register the MitID callback URL above as the redirect URI on your OIDC client.
  2. Copy the client credentials into the dashboard, plus your Issuer URL (found under your OIDC client details, looks like https://your-tenant.signicat.com/auth/open). Torii fetches the discovery document from it to wire up the rest.

Sandbox MitID uses synthetic test identities. Create one with the MitID test tool, then sign in via Continue with MitID. The simulator’s “scan QR and confirm” step is part of the test flow; no manual approval needed.

Troubleshooting

Section titled “Troubleshooting”

A redirect-URI mismatch error from the provider almost always means the callback URL registered there does not exactly match the table above: check the scheme (https), the /_torii/auth/oauth2/ path, and the trailing /{provider}/callback segment.