Supported Providers
This page is a code-reference view of the authentication providers currently supported by KalamDB.
The list below was verified against the backend enum in:
backend/crates/kalamdb-commons/src/models/oauth_provider.rsUse this page when you want to know which provider identifiers, username prefixes, and built-in aliases exist in code, even if a full setup guide does not exist yet.
Built-In Providers
| Provider | Canonical name | Prefix | Notable aliases |
|---|---|---|---|
| Keycloak | keycloak | kcl | — |
google | ggl | — | |
| Azure AD / Entra ID | azure_ad | msf | azure, microsoft |
| Amazon Cognito | cognito | cgn | aws_cognito |
| AWS IAM Identity Center | aws_iam | aws | — |
| GitHub | github | ghb | — |
| GitLab | gitlab | glb | — |
| Facebook / Meta | facebook | fbk | meta |
| X | x | xco | twitter |
| Apple | apple | apl | — |
| Firebase | firebase | fbs | google_identity_platform |
| Okta | okta | okt | — |
| Auth0 | auth0 | a0x | — |
| Supabase | supabase | sbs | — |
| OneLogin | onelogin | olg | — |
| Ping Identity | ping_identity | png | ping, pingfederate |
| Salesforce | salesforce | sfc | — |
| Oracle Identity Cloud | oracle | orc | — |
| IBM Security Verify | ibm | ibm | — |
| JumpCloud | jumpcloud | jcl | — |
| Duo | duo | duo | — |
| FusionAuth | fusionauth | fsa | — |
| Authentik | authentik | atk | — |
| Zitadel | zitadel | zit | — |
| Casdoor | casdoor | csd | — |
| Logto | logto | lgt | — |
| Clerk | clerk | clk | — |
| Stytch | stytch | sty | — |
| WorkOS | workos | wos | — |
| Descope | descope | dsc | — |
Custom Providers
KalamDB also supports providers outside the built-in list through Custom(String).
Behavior for custom providers:
- the canonical provider name is the raw string identifier or issuer URL
- the username prefix is the first 3 hex characters of the SHA-256 hash of that identifier
- issuer-based detection falls back to the raw issuer URL when no well-known match is found
That means an unknown but standards-compliant issuer can still work as a trusted external provider.
Username Format
All external provider users map to deterministic usernames in this form:
oidc:{prefix}:{subject}Examples:
- Keycloak user:
oidc:kcl:alice - Firebase user:
oidc:fbs:abc123 - Auth0 user:
oidc:a0x:user-uuid
Issuer Detection Notes
The backend also contains issuer-pattern detection for many providers. A few important examples:
- Keycloak: issuer contains
keycloakor/realms/ - Firebase: issuer contains
securetoken.google.com - Google: issuer contains
accounts.google.com - Azure AD: issuer contains
login.microsoftonline.comorsts.windows.net - Okta: issuer contains
okta.comoroktapreview.com - X: issuer fallback handles
twitter.comorx.com
This detection is what drives automatic provider classification and the 3-character username prefix.
Practical Guidance
- Use the canonical provider name when you manually create OAuth users with
WITH OAUTH '{"provider":"...","subject":"..."}'. - Use the prefix when you need to predict the provider username format before first login.
- If your issuer is not in the built-in list, treat it as a custom provider and verify the generated username after first auth.