External Authentication

Users that are not connected to your Peertube instance are joining the chat using “anonymous accounts” (they can freely choose a nickname, and will be assigned a random avatar).

You can enable some external authentication methods to allow user to create chat accounts. In such case their nickname and avatar will be automatically initialized with the remote account information.

Such “external account users” will be easier to moderate than anonymous accounts.

This also allows user to join the chat without creating Peertube account (in case your instance has closed registration for example, or without waiting for account approval).

$Screenshot of a Peertube video page, with a chat on the right. At the\nbottom of the chat, there is a “Log in using an external account”\nbutton.$ $Screenshot of a Peertube video page, with a chat on the right. At the\nbottom of the chat, there is a “Log in using an external account”\nbutton.$

$Screenshot of a dialog with an “OpenID Connect”\nbutton.$ $Screenshot of a dialog with an “OpenID Connect”\nbutton.$

This page will describe available authentication methods.

For the user documentation, see user documentation

OpenID Connect

Warning

This feature is still experimental. This feature is available with the plugin version >= 9.0.0.

You can configure one external OpenID Connect compatible provider.

Doing so, you can for example use your website for Single Sign-On.

Popular CMS softwares (Wordpess, …) offers plugins implementing OpenID Connect.

To enable this feature, first you have to create a client on your provider side (check the related documentation for enabling OpenID Connect). Then go to the plugin settings, and enable “Use an OpenID Connect provider”.

Note: if you want to restrict allowed redirection urls on the provider side (best security practice), the plugin will show you the url to allow. Just copy it in your OpenID Connect application configuration.

You will now have to fill some settings.

Label for the connection button

This label will be displayed to users, as the button label to authenticate with this OIDC provider.

This is the button label in the following screenshot:

$Screenshot of a dialog with an “OpenID Connect”\nbutton.$ $Screenshot of a dialog with an “OpenID Connect”\nbutton.$

For now, it is not possible to localize this label.

Discovery URL

Your OpenID Connect provider must implement the discovery URL. Just set here the discovery url, that should be something like https://example.com/.well-known/openid-configuration.

Note: if your provider use the standard /.well-known/openid-configuration path, you can omit it. For example https://accounts.google.com will work.

Client ID

Your application Client ID.

Client secret

You application Client secret.

Google, Facebook, …

In addition to that, you can also configure one or several “standard” Open ID Connect provider (Google, Facebook, …).

For these providers, discovery url and button label are preset. You just have to create an OAuth2 application on the provider side, and configure Client ID and Client Secret.

If you think of a standard provider that is not available, you can ask for implementation by opening a new issue.

Troubleshooting

If the button does not appear for end users, there might be a configuration issue. You can try the diagnostic tool to get more information.

Note: if you are connected to your Peertube account, the button will never show. So use a private browser window to test.

If the button is displayed but is not working, check your Peertube logs. It could be because the remote service does not use standard scopes or attribute names.

More to come

Other authentication methods will be implemented in the future.