Skip to content
getgeolens.com
GeoLens DocsEarly release

Create Oauth Provider

POST
/settings/oauth-providers/
 
curl --request POST \
  --url https://example.com/api/settings/oauth-providers/ \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{ "slug": "example", "display_name": "example", "provider_type": "google", "client_id": "example", "client_secret": "example", "discovery_url": "example", "authorize_url": "example", "token_url": "example", "userinfo_url": "example", "idp_entity_id": "example", "idp_sso_url": "example", "idp_certificate": "example", "sp_entity_id": "example", "scopes": "openid profile email", "default_role": "viewer", "group_claim": "example", "group_role_mapping": {}, "enabled": true }'

Create a new OAuth or SAML provider (admin only).

Audit-log payload includes the full created snapshot with non-secret fields verbatim and <redacted> markers for secrets that were submitted in the request body (SAML-12 / Pitfall 9 / T-217-03-AUDIT-LEAK).

Authorizations

Section titled “Authorizations ”

Request Body required

Section titled “Request Body required ”
Media type application/json
OAuthProviderCreate

Schema for creating a new OAuth provider.

object
slug
required
Slug

URL-safe identifier used in callback URLs (e.g. ‘google’, ‘azure-ad’). Lowercase, digits, and hyphens only.

string
>= 1 characters <= 50 characters /^[a-z0-9-]+$/
display_name
required
Display Name

Human-readable label shown on the login page button.

string
>= 1 characters <= 100 characters
provider_type
required
Provider Type

OAuth or SAML provider type. ‘google’ and ‘microsoft’ auto-populate the discovery URL; ‘oidc’ is generic OAuth/OIDC; ‘saml’ enables SAML SSO (requires enterprise edition).

string
Allowed values: google microsoft oidc saml
client_id
Any of:
string
<= 500 characters
client_secret
Any of:
string
<= 1000 characters
discovery_url
Any of:
string
<= 512 characters
authorize_url
Any of:
string
<= 512 characters
token_url
Any of:
string
<= 512 characters
userinfo_url
Any of:
string
<= 512 characters
idp_entity_id
Any of:
string
<= 512 characters
idp_sso_url
Any of:
string
<= 512 characters
idp_certificate
Any of:
string
sp_entity_id
Any of:
string
<= 512 characters
scopes
Scopes

Space-separated OAuth scopes.

string
default: openid profile email <= 500 characters
default_role
Default Role

Role assigned to new users created via this provider: ‘viewer’, ‘editor’, or ‘admin’.

string
default: viewer <= 50 characters
group_claim
Any of:
string
<= 100 characters
group_role_mapping
Any of:
object
key
additional properties
any
enabled
Enabled

Whether the provider button appears on the login page.

boolean
default: true

Responses

Section titled “ Responses ”

201

Section titled “201 ”

Successful Response

Media type application/json
OAuthProviderResponse

Response schema for OAuth/SAML provider.

Write-only credentials are never exposed:

  • client_secret_encrypted (OAuth client secret) — excluded.
  • idp_certificate (SAML IdP signing cert, Fernet-encrypted at rest) — excluded.

The 3 non-secret SAML fields (idp_entity_id, idp_sso_url, sp_entity_id) ARE exposed so the admin UI can display them.

Pitfall 11 interaction: those 3 fields are declared with deferred=True on the OAuth ORM model so community DBs (which lack the columns) do not crash on SELECT. Pydantic’s from_attributes=True would normally trigger an implicit deferred load on attribute access, which fails under FastAPI’s async context with MissingGreenlet. The model_validator(mode="before") below reads the SAML fields directly from obj.__dict__ so unloaded attributes default to None instead of triggering IO. SAML admin endpoints that need the values must use undefer_group("saml") at query time.

object
id
required
Id

Unique provider identifier.

string format: uuid
slug
required
Slug

URL-safe identifier used in the callback URL.

string
display_name
required
Display Name

Label shown on the login page button.

string
provider_type
required
Provider Type

Provider type: ‘google’, ‘microsoft’, ‘oidc’, or ‘saml’.

string
client_id
Any of:
string
discovery_url
Any of:
string
authorize_url
Any of:
string
token_url
Any of:
string
userinfo_url
Any of:
string
idp_entity_id
Any of:
string
idp_sso_url
Any of:
string
sp_entity_id
Any of:
string
scopes
required
Scopes

Space-separated OAuth scopes.

string
default_role
required
Default Role

Default role assigned to new users.

string
group_claim
Any of:
string
group_role_mapping
Any of:
object
key
additional properties
any
enabled
required
Enabled

Whether the provider button appears on the login page.

boolean
created_at
required
Created At

Timestamp the provider was created.

string format: date-time
updated_at
required
Updated At

Timestamp the provider was last updated.

string format: date-time
Example generated
{
  "id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
  "slug": "example",
  "display_name": "example",
  "provider_type": "example",
  "client_id": "example",
  "discovery_url": "example",
  "authorize_url": "example",
  "token_url": "example",
  "userinfo_url": "example",
  "idp_entity_id": "example",
  "idp_sso_url": "example",
  "sp_entity_id": "example",
  "scopes": "example",
  "default_role": "example",
  "group_claim": "example",
  "group_role_mapping": {},
  "enabled": true,
  "created_at": "2026-04-15T12:00:00Z",
  "updated_at": "2026-04-15T12:00:00Z"
}

400

Section titled “400 ”

Bad request — invalid query parameters or payload

401

Section titled “401 ”

Unauthorized — missing or invalid credentials

403

Section titled “403 ”

Forbidden — caller lacks access to this resource

404

Section titled “404 ”

Not found

422

Section titled “422 ”

Validation error

500

Section titled “500 ”

Internal server error