Skip to main content
The Generic OAuth connector provides an OAuth 2.0 integration for authorization servers that are not full identity providers — giving you flexibility to connect services like GitHub, Atlassian, and other platforms that support OAuth but not OpenID Connect.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Generic OAuth connector supports the OAuth 2.0 authorization code flow for any authorization server that implements the standard token and authorization endpoints. Unlike the Generic OIDC connector, which is designed for full identity providers, this connector targets authorization servers that only implement OAuth 2.0 without OpenID Connect.

Use Cases

  • Integrate non-IDP authorization servers — Connect to services like GitHub, Atlassian, or other platforms that provide OAuth 2.0 authorization but not full OIDC support
  • Access third-party APIs on behalf of users — Obtain OAuth tokens for services where your application needs to call APIs using delegated user authorization
  • Unify authorization across diverse platforms — Bring OAuth-only services into your Identity Fabric alongside OIDC and SAML providers for centralized orchestration

Setup

The OAuth connector supports two configuration approaches. Use wellKnownURL when the authorization server publishes a discovery document, or manually specify the authorizeURL and tokenURL endpoints. These two options are mutually exclusive.Option 1: Using a well-known discovery URL
maverics.yaml
connectors:
  - name: github
    type: oauth
    clientID: "{{ env.GITHUB_CLIENT_ID }}"
    clientSecret: <vault.github_client_secret>
    wellKnownURL: https://github.com/.well-known/oauth-authorization-server
    loginRedirect:
      urls:
        - https://app.example.com/github/oauth
    scopes: repo
Option 2: Manually specifying authorize and token URLs
maverics.yaml
connectors:
  - name: github
    type: oauth
    clientID: "{{ env.GITHUB_CLIENT_ID }}"
    clientSecret: <vault.github_client_secret>
    authorizeURL: https://github.com/login/oauth/authorize
    tokenURL: https://github.com/login/oauth/access_token
    loginRedirect:
      urls:
        - https://app.example.com/github/oauth
    scopes: repo

Configuration Reference

KeyTypeRequiredDescription
namestringYesUnique connector identifier referenced in app policies
typestringYesMust be oauth
clientIDstringYesOAuth 2.0 client ID from the authorization server
clientSecretstringYesOAuth 2.0 client secret (use secret reference syntax)
wellKnownURLstringConditionalOAuth discovery endpoint URL. Mutually exclusive with authorizeURL and tokenURL.
authorizeURLstringConditionalOAuth 2.0 authorization endpoint. Required if wellKnownURL is not set. Mutually exclusive with wellKnownURL.
tokenURLstringConditionalOAuth 2.0 token endpoint. Required if wellKnownURL is not set. Mutually exclusive with wellKnownURL.
loginRedirect.urlslistYesCallback URL(s) where the authorization server redirects users after authorization
scopesstringNoSpace-separated OAuth scopes to request
For the complete field reference including health checks, see Identity Fabric.

Troubleshooting

  • Verify the authorizeURL and tokenURL are accessible from the Orchestrator host — confirm both endpoints respond correctly
  • If using wellKnownURL, ensure the discovery document URL is correct and returns valid JSON with authorization_endpoint and token_endpoint fields
  • Ensure the loginRedirect URLs match exactly what is registered with the authorization server
  • Check that the client secret reference resolves correctly via your secret provider
  • Verify the requested scopes are valid for the authorization server — invalid scopes may cause authorization failures

Identity Fabric

Overview of all identity providers

Generic OIDC

Generic OpenID Connect connector

Generic SAML

Generic SAML 2.0 connector