Bell Providers

If you want to write your own provider please see the section at the bottom of this page.

Each provider may specify configuration options that are unique. Any of these unique options are documented here and must be provided during strategy creation. See the API Documentation for all other options.

Provider Documentation

• scope: No default scope
• config: not applicable
• auth: https://www.arcgis.com/sharing/rest/oauth2/authorize
• token: https://www.arcgis.com/sharing/rest/oauth2/token

The default profile response will look like this:

credentials.profile = {
    provider: 'arcgisonline',
    orgId: profile.orgId,
    username: profile.username,
    displayName: profile.fullName,
    name: {
        first: profile.firstName,
        last: profile.lastName
    },
    email: profile.email,
    role: profile.role,
    raw: profile
};

Provider Documentation

• scope: not applicable
• config:
  • domain: Your Auth0 domain name, such as example.auth0.com or example.eu.auth0.com
• auth: /authorize
• token: /oauth/token

To authenticate a user with a specific identity provider directly, use providerParams. For example:

providerParams: {
    connection: 'Username-Password-Authentication'
}

The default profile response will look like this:

credentials.profile = {
    id: profile.user_id,
    email: profile.email,
    displayName: profile.name,
    name: {
        first: profile.given_name,
        last: profile.family_name
    },
    raw: profile
};

Specific fields may vary depending on the identity provider used. For more information, refer to the documentation on user profiles.

Provider Documentation

• scope: not applicable
• config: not applicable
• auth: https://bitbucket.org/site/oauth2/authorize
• token: https://bitbucket.org/site/oauth2/access_token

The default profile response will look like this:

credentials.profile = {
    id: profile.uuid,
    username: profile.username,
    displayName: profile.display_name,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['openid', 'email', 'profile']
• config:
  • uri: Point to your Cognito user pool uri. Intentionally no default as Cognito is organization specific.
• auth: https://your-cognito-user-pool.amazoncognito.com/oauth2/authorize
• token: https://your-cognito-user-pool.amazoncognito.com/oauth2/token

The default profile response will look like this:

credentials.profile = {
    id: profile.sub,
    username: profile.preferred_username,
    displayName: profile.name,
    firstName: profile.given_name,
    lastName: profile.family_name,
    email: profile.email,
    raw: profile
};

Provider Documentation

• scope: defaults to read scope
• config: not applicable
• auth: https://cloud.digitalocean.com/v1/oauth/authorize
• token: https://cloud.digitalocean.com/v1/oauth/token

The default profile response will look like this:

credentials.profile = {
    id: profile.account.uuid,
    email: profile.account.email,
    status: profile.account.status,
    dropletLimit: profile.account.droplet_limit,
    raw: profile.account
};

Provider Documentation

• scope: Defaults to ['email', 'identify']
• config: not applicable
• auth: https://discord.com/api/oauth2/authorize
• token: https://discord.com/api/oauth2/token

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    discriminator: profile.discriminator,
    username: profile.username,
    email: profile.email,
    mfa_enabled: profile.mfa_enabled,
    verified: profile.verified,
    avatar: {
        id: profile.avatar,
        url: 'https://discord.com/api/users/' + profile.id + '/avatars/' + profile.avatar + '.jpg'
    },
    raw: profile
};

Provider Documentation

• scope: No default scope
• config: not applicable
• auth: https://www.dropbox.com/1/oauth2/authorize
• token: https://api.dropbox.com/1/oauth2/token

The default profile response will look like this:

// default profile response from dropbox

Provider Documentation

• scope: Defaults to ['email']
• config:
  • fields: List of profile fields to retrieve, as described in Facebook's documentation. Defaults to 'id,name,email,first_name,last_name,middle_name,gender,link,locale,timezone,updated_time,verified'.
• auth: https://www.facebook.com/v3.1/dialog/oauth
• token: https://graph.facebook.com/v3.1/oauth/access_token

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    username: profile.username,
    displayName: profile.name,
    name: {
        first: profile.first_name,
        last: profile.last_name,
        middle: profile.middle_name
    },
    email: profile.email,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['activity', 'profile']
• config: not applicable
• auth: https://www.fitbit.com/oauth2/authorize
• token: https://api.fitbit.com/oauth2/token

The default profile response will look like this:

credentials.profile = {
    id: profile.user.encodedId,
    displayName: profile.user.displayName,
    name: profile.user.fullName
};

Provider Documentation

• scope: No default scope
• config: not applicable
• auth: https://foursquare.com/oauth2/authenticate
• token: https://foursquare.com/oauth2/access_token

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    displayName: profile.firstName + ' ' + profile.lastName,
    name: {
        first: profile.firstName,
        last: profile.lastName
    },
    email: profile.contact.email,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['user:email']
• config:
  • uri: Point to your github enterprise uri. Defaults to https://github.com.
• auth: /login/oauth/authorize
• token: /login/oauth/access_token

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    username: profile.login,
    displayName: profile.name,
    email: profile.email,
    raw: profile
};

Provider Documentation

• scope: No default scope.
• config:
  • uri: Point to your gitlab uri. Defaults to https://gitlab.com.
• auth: /oauth/authorize
• token: /oauth/token

The default profile response will look like this:

// Defaults to gitlab response (https://gitlab.com/help/api/users.md#current-user)

Provider Documentation

• scope: Defaults to ['profile', 'email']
• config: not applicable
• auth: https://accounts.google.com/o/oauth2/v2/auth
• token: https://www.googleapis.com/oauth2/v4/token

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    displayName: profile.name,
    name: {
        given_name: profile.given_name,
        family_name: profile.family_name
    },
    email: profile.email,
    raw: profile
};

Provider Documentation

You must also enable the Google+ API in your profile. Go to APIs & Auth, then APIs and under Social APIs click Google+ API and enable it.

• scope: Defaults to ['profile', 'email']
• config: not applicable
• auth: https://accounts.google.com/o/oauth2/v2/auth
• token: https://www.googleapis.com/oauth2/v4/token

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    displayName: profile.displayName,
    name: profile.name,
    emails: profile.emails,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['basic']
• config:
  • extendedProfile: Boolean that determines if extended profile information will be fetched
• auth: https://api.instagram.com/oauth/authorize
• token: https://api.instagram.com/oauth/access_token

The default profile response will look like this:

credentials.profile = {
    id: params.user.id,
    username: params.user.username,
    displayName: params.user.full_name,
    raw: params.user
};

// if extendedProfile is true then raw will have access to all the information

Provider Documentation

• scope: Defaults to ['r_basicprofile', 'r_emailaddress']
• config: not applicable
• auth: https://www.linkedin.com/uas/oauth2/authorization
• token: https://www.linkedin.com/uas/oauth2/accessToken

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    name: {
        first: profile.firstName,
        last: profile.lastName
    },
    email: profile.email,
    headline: profile.headline,
    raw: profile
};

You can request additional profile fields by setting the fields option of providerParams. All possible fields are described in the Basic Profile Fields documentation (see an example on this page under Requesting additional profile fields).

Here is an example of a custom strategy configuration:

providerParams: {
    fields: ':(id,first-name,last-name,positions,picture-url,picture-urls::(original),email-address)'
}

Provider Documentation

• scope: Defaults to ['basicProfile']
• config: not applicable
• auth: https://medium.com/m/oauth/authorize
• token: https://medium.com/v1/tokens

The default profile response will look like this:

credentials.profile = {
    id: profile.data.id,
    username: profile.data.username,
    displayName: profile.data.name,
    raw: profile.data
};

Provider Documentation

• scope: Defaults to ['basic']
• config: not applicable
• auth: https://secure.meetup.com/oauth2/authorize
• token: https://secure.meetup.com/oauth2/access

The default profile response will look like this:

// Defaults to meetup response (http://www.meetup.com/meetup_api/docs/2/member/#get)

Provider Documentation

• scope: Defaults to ['wl.basic', 'wl.emails']
• config: not applicable
• auth: https://login.live.com/oauth20_authorize.srf
• token: https://login.live.com/oauth20_token.srf

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    username: profile.username,
    displayName: profile.name,
    name: {
        first: profile.first_name,
        last: profile.last_name
    },
    email: profile.emails && (profile.emails.preferred || profile.emails.account),
    raw: profile
};

Provider Documentation

• scope: Defaults to ['user:details:self']
• config: not applicable
• auth: https://mixer.com/oauth/authorize
• token: https://mixer.com/api/v1/oauth/token

The default profile response will look like this:

//Default profile response from Mixer

Provider Documentation

• scope: No default scope
• config: not applicable
• auth: https://home.nest.com/login/oauth2
• token: https://api.home.nest.com/oauth2/access_token

The default profile response will look like this:

// According to the official docs, no user data is available via the Nest
// OAuth service. Therefore, there is no `profile`.

Provider Documentation

• scope: Defaults to ['whoami']
• config:
  • uri: URI of phabricator instance
• auth: /oauthserver/auth/
• token: /oauthserver/token/

The default profile response will look like this:

credentials.profile = {
    id: profile.result.phid,
    username: profile.result.userName,
    displayName: profile.result.realName,
    email: profile.result.primaryEmail,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['openid', 'email']
• config:
  • uri: Point to your Pingfederate enterprise uri. Intentionally no default as Ping is organization specific.
• auth: https://www.example.com:9031/as/authorization.oauth2
• token: https://www.example.com:9031/as/token.oauth2

The default profile response will look like this:

credentials.profile = {
    id: profile.sub,
    username: profile.email,
    displayName: profile.email,
    email: profile.email,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['read_public', 'write_public', 'read_relationships', 'write_relationships']
• config: not applicable
• auth: https://api.pinterest.com/oauth/
• token: https://api.pinterest.com/v1/oauth/token

The default profile response will look like this:

credentials.profile = {
    id: profile.data.id,
    username: profile.data.username,
    name: {
        first: profile.data.first_name,
        last: profile.data.last_name
    },
    raw: profile
};

Provider Documentation

• scope: Defaults to ['identity']
• config: not applicable
• auth: https://www.reddit.com/api/v1/authorize
• token: https://www.reddit.com/api/v1/access_token

The default profile response will look like this:

// Defaults to reddit response

Provider Documentation

• scope: Defaults to ['identify']
• config:
  • extendedProfile: Set to false if all you want is the access_token, without user_id, user, raw, etc...
• auth: https://slack.com/oauth/authorize
• token: https://slack.com/api/oauth.access

To authenticate user in a specific team, use providerParams. For example:

providerParams: {
    team: 'T0XXXXXX'
}

The default profile response will look like this:

credentials.profile = {
  scope: params.scope,
  access_token: params.access_token,
  user: params.user,
  user_id: params.user_id
}

// credentials.profile.raw will contain all of the keys sent by Slack for the `auth.test` method

Provider Documentation

• scope: Defaults to - allowing to read the public information only. Spotify Scopes
• auth: https://accounts.spotify.com/authorize
• token: https://accounts.spotify.com/api/token

Read more about the Spotify Web API's Authorization Flow here: https://developer.spotify.com/web-api/authorization-guide/

The default profile response will look like this:

credentials.profile = {
  id: profile.id,
  username: profile.id,
  displayName: profile.display_name,
  email: profile.email,
  raw: profile
}

Provider Documentation

• scope: not applicable
• config: not applicable
• auth: https://api.trakt.tv/oauth/authorize
• token: https://api.trakt.tv/oauth/token

The default profile response will look like this:

credentials.profile = {
    username: profile.username,
    private: profile.private,
    joined_at: profile.joined_at,
    name: profile.name,
    vip: profile.vip,
    ids: profile.ids,
    location: profile.location,
    about: profile.about,
    gender: profile.gender,
    age: profile.age,
    images: profile.images
};

Provider Documentation

• scope: not applicable
• config:
  • extendedProfile: Request for more profile information
  • getMethod: Twitter API GET method to call when extendedProfile is enabled. Defaults to 'users/show'
  • getParams: Additional parameters to pass to the GET method. For example, the include_email parameter for the account/verify route
• temporary: 'https://api.twitter.com/oauth/request_token'
• auth: https://api.twitter.com/oauth/authenticate
• token: https://api.twitter.com/oauth/access_token

The default profile response will look like this:

credentials.profile = {
    id: params.user_id,
    username: params.screen_name
};

// credentials.profile.raw will contain extendedProfile if enabled

Provider Documentation

• scope: No default scope
• config: not applicable
• auth: https://oauth.vk.com/authorize
• token: https://oauth.vk.com/access_token

The default profile response will look like this:

credentials.profile = {
    id: profile.uid,
    displayName: profile.first_name + ' ' + profile.last_name,
    name: {
        first: profile.first_name,
        last: profile.last_name
    },
    raw: profile
};

Provider Documentation

• scope: not applicable
• config: not applicable
• temporary: https://api.login.yahoo.com/oauth/v2/get_request_token
• auth: https://api.login.yahoo.com/oauth/v2/request_auth
• token: https://api.login.yahoo.com/oauth/v2/get_token

The default profile response will look like this:

credentials.profile = {
    id: profile.profile.guid,
    displayName: profile.profile.givenName + ' ' + profile.profile.familyName,
    name: {
        first: profile.profile.givenName,
        last: profile.profile.familyName
    },
    raw: profile
};

Provider Documentation

• scope: not applicable
• temporary: https://www.tumblr.com/oauth/request_token
• auth: https://www.tumblr.com/oauth/authorize
• token: https://www.tumblr.com/oauth/access_token

The default profile response will look like this:

credentials.profile = {
    username: profile.response.user.name,
    raw: profile.response.user
};

Provider Documentation

• scope: Defaults to 'user_read'
• auth: https://api.twitch.tv/kraken/oauth2/authorize
• token: https://api.twitch.tv/kraken/oauth2/token

The default profile response will look like this:

// default profile response from Twitch

Provider Documentation

• scope: not applicable
• config:
  • uri: Point to your Salesforce org. Defaults to https://login.salesforce.com
  • extendedProfile: Request for more profile information. Defaults to true
  • identityServiceProfile: Determines if the profile information fetch uses the Force.com Identity Service. Defaults to false (UserInfo Endpoint)
• auth: /services/oauth2/authorize
• token: /services/oauth2/token

The default profile response will look like this: UserInfo Response

credentials.profile = {
    "sub": "https://login.salesforce.com/id/00Dx0000000A9y0EAC/005x0000000UnYmAAK",
    "user_id": "005x0000000UnYmAAK",
    "organization_id": "00Dx0000000A9y0EAC",
    "preferred_username": "user@ example.com",
    "nickname": "user",
    "name": "Pat Patterson",
    "email": "user@ example.com",
    "email_verified": true,
    "given_name": "Pat",
    "family_name": "Patterson",
    ...
}

The Force.com Identity profile response will look like this: Force.com Identity Response

credentials.profile = {
    "id":"https://login.salesforce.com/id/00D50000000IZ3ZEAW/00550000001fg5OAAQ",
    "asserted_user":true,
    "user_id":"00550000001fg5OAAQ",
    "organization_id":"00D50000000IZ3ZEAW",
    "username":"user@ example. com",
    "nick_name":"user1.2950476911907334E12",
    "display_name":"Sample User",
    "email":"user@ example. com",
    "email_verified": true,
    "first_name": "Sample",
    "last_name": "User",
    ...
}

Provider Documentation

• scope: defaults to read_only scope
• config: not applicable
• auth: https://connect.stripe.com/oauth/authorize
• token: https://connect.stripe.com/oauth/token

The default profile response will look like this:

credentials.profile = {
    id: profile.id,
    legalName: profile.business_name,
    displayName: profile.display_name,
    email: profile.email,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['openid','offline_access', 'profile']
• config: not applicable
• auth: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
• token: https://login.microsoftonline.com/common/oauth2/v2.0/token

The default profile response will look like this:

credentials.profile = {
    id: profile.Id,
    displayName: profile.DisplayName,
    email: profile.EmailAddress,
    raw: profile
};

Provider Documentation

• scope: Defaults to ['openid', 'email', 'offline_access']
• config:
  • uri: Point to your Okta enterprise uri. Intentionally no default as Okta is organization specific.
  • authorizationServerId: If you are using a custom authorization server you need to pass the alphanumeric ID here.
• auth: https://your-organization.okta.com/oauth2/v1/authorize
• token: https://your-organization.okta.com/oauth2/v1/token

The default profile response will look like this:

credentials.profile = {
    id: profile.sub,
    username: profile.email,
    displayName: profile.nickname,
    firstName: profile.given_name,
    lastName: profile.family_name,
    email: profile.email,
    raw: profile
};

Provider Documentation

• scope: Defaults to 'global'
• auth: /oauth2/authorize
• token: /oauth2/token

The default profile response will look like this:

credentials.profile = {
    id: profile.ID,
    username: profile.username,
    displayName: profile.display_name,
    raw: profile
};

When writing a new provider see existing implementations (in lib/providers) for reference as well as any documentation provided by your provider. You may want to support uri or extendedProfile options depending on your needs.