Skip to main content

OAuth Providers

Tracera supports Google, GitHub, and Steam as OAuth/OpenID authentication providers. Each provider is optional — enable only the ones you need.

Google OAuth 2.0

Setup

  1. Go to the Google Cloud Console
  2. Create a new project or select an existing one
  3. Navigate to APIs & Services > Credentials
  4. Click Create Credentials > OAuth 2.0 Client ID
  5. Set application type to Web application
  6. Add authorized redirect URI: {BASE_URL}/api/v1/auth/google/callback
  7. Copy the Client ID and Client Secret

Configuration

GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-client-secret

Flow

  1. User clicks “Sign in with Google”
  2. Frontend redirects to GET /api/v1/auth/google
  3. Backend generates state parameter and redirects to Google’s authorization endpoint
  4. User authorizes on Google
  5. Google redirects to /api/v1/auth/google/callback with authorization code
  6. Backend exchanges code for tokens, fetches user profile
  7. User is created/matched by email, session is created

GitHub OAuth 2.0

Setup

  1. Go to GitHub Developer Settings
  2. Click New OAuth App
  3. Set the authorization callback URL to: {BASE_URL}/api/v1/auth/github/callback
  4. Copy the Client ID and generate a Client Secret

Configuration

GITHUB_CLIENT_ID=your-client-id
GITHUB_CLIENT_SECRET=your-client-secret

Flow

Same as Google OAuth, but using GitHub’s authorization endpoints. GitHub provides the user’s email, name, and avatar.

Steam OpenID 2.0

Steam uses OpenID 2.0 (not OAuth) for authentication. It has two modes:

Login Mode (Unauthenticated)

For users who want to sign in with Steam as their primary auth method:
  • Endpoint: GET /api/v1/auth/steam/login
  • Callback: GET /api/v1/auth/steam/login/callback
  • Creates a new account or signs into existing one

Linking Mode (Authenticated)

For users who already have an account and want to link their Steam identity (required for portfolio import):
  • Endpoint: GET /api/v1/auth/steam (requires active session)
  • Callback: GET /api/v1/auth/steam/callback
  • Links the Steam identity to the existing account

Setup

  1. Get a Steam Web API key from Steam Developer
  2. Set the domain to your application’s domain

Configuration

STEAM_API_KEY=your-steam-api-key
STEAM_OPENID_ENABLED=true  # default: true

Security

Steam OpenID responses are validated for:
  • HTTPS scheme on claimed ID
  • Correct host (steamcommunity.com)
  • Expected path format (/openid/id/{steamid64})
  • Numeric SteamID64 format

Disabling Providers

Each provider is automatically disabled if its credentials are not set:
  • Google: Disabled if GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET is empty
  • GitHub: Disabled if GITHUB_CLIENT_ID or GITHUB_CLIENT_SECRET is empty
  • Steam: Disabled if STEAM_OPENID_ENABLED is false
The login page dynamically shows only the available providers.