viamrobotics · npentrel · Jan 24, 2025 · Jan 22, 2025 · Jan 22, 2025 · Jan 23, 2025
diff --git a/assets/operate/oauth.png b/assets/operate/oauth.png
diff --git a/docs/dev/tools/cli.md b/docs/dev/tools/cli.md
@@ -1061,6 +1061,14 @@ viam organizations list
 viam organizations api-key create --org-id=<org-id> [--name=<key-name>]
 viam organizations support-email [get|set] --org-id=<org-id> --support-email=<support-email>
 viam organizations logo set --org-id=<org-id> --logo-path=<logo-path>
+viam organization auth-service [enable|disable] --org-id=<org-id>
+viam organization auth-service oauth-app [create|update] --client-authentication [required|unspecified|not_required|not_required_when_using_pkce] \
+    --client-name <client-name> --enabled-grants [password|unspecified|refresh_token|implicit|device_code|authorization_code] \
+    --logout-uri "https://logoipsum.com" --origin-uris https://logoipsum.com \
+    --pkce [required|not_required|unspecified] --redirect-uris https://logoipsum.com/callback \
+    --url-validation [allow_wildcards] --org-id <org-id>
+viam organization auth-service oauth-app [list] --org-id=<org-id>
+viam organization auth-service oauth-app [read|delete] --org-id=<org-id> --client-id <client-id>
 ```
 
 Examples:
@@ -1086,21 +1094,31 @@ See [create an organization API key](#create-an-organization-api-key) for more i
 | `support-email set` | Set the support email for an organization. | - |
 | `logo set` | Upload the logo for an organization from a local file. | - |
 | `billing-service get-config` | Get the billing service config for an organization. | - |
-| `billing-service enable` | Enable the billing service for an organization. | - |
-| `billing-service update` | Update the billing service update for an organization. | - |
-| `billing-service disable` | Disable the billing service for an organization. | - |
+| `billing-service` | Enable, update, or disable the billing service for an organization. | `enable`, `update`, `disable` |
+| `auth-service` | Enable or disable auth-service for OAuth applications. Disabling the auth-service does not delete your OAuth token, it will just take off the custom branding. | `enable`, `disable` |
+| `auth-service oauth-app` | List, create, update, read, or delete OAuth applications. | `create`, `update`, `list`, `read`, `delete` |
 | `--help` | Return help | - |
 
 ##### Named arguments
 
 <!-- prettier-ignore -->
 | Argument | Description | Applicable commands | Required? |
 | -------- | ----------- | ------------------- | --------- |
-| `--org-id` | The organization to perform the command on. | `api-key`, `support-email get`, `support-email set`, `logo set`, `billing-service get-config`, `billing-service enable`, `billing-service update`, `billing-service disable`. | **Required** |
+| `--org-id` | The organization to perform the command on. | `api-key`, `support-email get`, `support-email set`, `logo set`, `billing-service get-config`, `billing-service enable`, `billing-service update`, `billing-service disable`, `auth-service enable`, `auth-service disable`, `auth-service oauth-app create`, `auth-service oauth-app update` `auth-service oauth-app list`, `auth-service oauth-app read`, `auth-service oauth-app delete`. | **Required** |
 | `--name` | The optional name for the organization API key. If omitted, a name will be auto-generated based on your login info and the current time |`api-key` | Optional |
 | `--support-email` | The support email to set for the organization. | `support-email get`, `support-email set` | **Required** |
 | `--logo-path` | The support email to set for the organization. | `logo set` | **Required** |
 | `--address` | The stringified billing address that follows the pattern: line1, line2 (optional), city, state, zipcode. | `billing-service enable`, `billing-service update` | **Required** |
+| `--client-id` | The client ID of the OAuth application. | `auth-service oauth-app read`, `auth-service oauth-app delete`, `auth-service oauth-app update` | **Required |
+| `--client-authentication` | The client authentication policy for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_pkce`. Default: `unspecified`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
+| `--client-name` | The name for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update`| **Required** |
+| `--enabled-grants` | Comma-separated enabled grants for the OAuth application. Options: `unspecified`, `refresh_token`, `password`, `implicit`, `device_code`, `authorization_code`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
+| `--logout-uri` | The logout uri for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
+| `--org-id` |  The organization ID that is tied to the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
+| `--origin-uris` | Comma-separated origin URIs for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
+| `--pkce` | pkce for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_client_authentication`. Default: `unspecified`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
+| `--redirect-uris` | Comma-separated redirect URIs for the OAuth application. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
+| `--url-validation` | URL validation for the OAuth application. Options: `unspecified`, `exact_match`, `allow_wildcards`. Default: `unspecified`. | `auth-service oauth-app create`, `auth-service oauth-app update` | **Required** |
 
 ### `packages`
 

diff --git a/docs/manage/manage/oauth.md b/docs/manage/manage/oauth.md
@@ -0,0 +1,136 @@
+---
+title: "Authenticate end users with OAuth"
+linkTitle: "OAuth"
+weight: 60
+layout: "docs"
+type: "docs"
+description: "Create a branded login screen for your application."
+images: ["/general/code.png"]
+date: "2025-01-22"
+---
+
+You can use Viam to manage your user authentication.
+This guide will show you how to create a branded login screen.
+
+{{<imgproc src="/operate/oauth.png" resize="1000x" declaredimensions=true alt="Example Oauth screenshot" style="width:600px" class="imgzoom">}}
+
+## Prerequisites
+
+{{< table >}}
+{{% tablestep link="/dev/tools/cli/#organizations" %}}
+**1. Add your logo**
+
+Add a logo to be displayed on the login screen for your organization.
+Your logo can be up to 200KB in size and must be in PNG format.
+
+```sh {class="command-line" data-prompt="$" data-output="2-10"}
+viam organization logo set --logo-path=logo.png --org-id <org-id>
+Successfully set the logo for organization <org-id> to logo at file-path: logo.png
+```
+
+You must have [owner permissions](/manage/manage/rbac/#organization-settings-and-roles) on the organization.
+
+{{% /tablestep %}}
+{{% tablestep link="/dev/tools/cli/#organizations" %}}
+**2. Add support email**
+
+This is the email that will be shown when Viam sends emails to users on your behalf for email verification, password recovery, and other account related emails.
+
+```sh {class="command-line" data-prompt="$" data-output="2-10"}
+viam organization support-email set --support-email [email protected] --org-id <org-id>
+Successfully set support email for organization "<org-id>" to "[email protected]"
+```
+
+{{% /tablestep %}}
+{{< /table >}}
+
+## Set up auth app
+
+{{< table >}}
+{{% tablestep link="/dev/tools/cli/#organizations" %}}
+**1. Enable authentication**
+
+Enable the authentication service for your organization:
+
+```sh {class="command-line" data-prompt="$" data-output="2-10"}
+viam organization auth-service enable --org-id <org-id>
+enabled auth service for organization "<org-id>":
+```
+
+{{% /tablestep %}}
+{{% tablestep link="/dev/tools/cli/#organizations" %}}
+**2. Create OAuth app**
+
+Create your OAuth application for your organization:
+
+```sh {class="command-line" data-prompt="$" data-output="6-10"}
+viam organization auth-service oauth-app create --client-authentication required \
+    --client-name "OAuth Test App" --enabled-grants "password, authorization_code" \
+    --logout-uri "https://logoipsum.com/logout" --origin-uris "https://logoipsum.com,http://localhost:3000" \
+    --pkce not_required --redirect-uris "https://logoipsum.com/oauth-redirect,http://localhost:3000/oauth-redirect" \
+    --url-validation allow_wildcards --org-id <org-id>
+Successfully created OAuth app OAuth Test App with client ID <client-id> and client secret <secret-token>
+```
+
+{{% expand "Click to view more information about arguments." %}}
+
+<!-- prettier-ignore -->
+| Argument | Description | Required? |
+| -------- | ----------- | --------- |
+| `--client-authentication` | The client authentication policy for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_pkce`. Default: `unspecified`. | **Required** |
+| `--client-name` | The name for the OAuth application. | **Required** |
+| `--enabled-grants` | Comma-separated enabled grants for the OAuth application. Options: `unspecified`, `refresh_token`, `password`, `implicit`, `device_code`, `authorization_code`. | **Required** |
+| `--logout-uri` | The logout uri for the OAuth application. | **Required** |
+| `--org-id` |  The organization ID that is tied to the OAuth application. | **Required** |
+| `--origin-uris` | Comma-separated origin URIs for the OAuth application. | **Required** |
+| `--pkce` | pkce for the OAuth application. Options: `unspecified`, `required`, `not_required`, `not_required_when_using_client_authentication`. Default: `unspecified`. | **Required** |
+| `--redirect-uris` | Comma-separated redirect URIs for the OAuth application. | **Required** |
+| `--url-validation` | URL validation for the OAuth application. Options: `unspecified`, `exact_match`, `allow_wildcards`. Default: `unspecified`. | **Required** |
+
+{{% /expand%}}
+
+{{% /tablestep %}}
+{{% tablestep link="/dev/tools/cli/#organizations" %}}
+**3. See OAuth app**
+
+```sh {class="command-line" data-prompt="$" data-output="2-5,7-20"}
+viam organization auth-service oauth-app list --org-id <org-id>
+OAuth apps for organization "<org-id>":
+
+ - <client-id>
+
+viam organization auth-service oauth-app read --org-id <org-id> --client-id <client-id>
+OAuth config for client ID <client-id>:
+
+Client Authentication: required
+PKCE (Proof Key for Code Exchange): not_required
+URL Validation Policy: allow_wildcards
+Logout URL: https://logoipsum.com/logout
+Redirect URLs: https://logoipsum.com/oauth-redirect, http://localhost:3000/oauth-redirect
+Origin URLs: https://logoipsum.com, http://localhost:3000
+Enabled Grants: authorization_code, password
+```
+
+{{% /tablestep %}}
+{{< /table >}}
+
+You can update any value after setup using `viam organization auth-service oauth-app update`.
+
+## Use the generated client ID and secret in your app
+
+Your authentication is built on top of FusionAuth.
+To continue, use the generated client secret and client ID with the [Fusion Auth SDKs](https://fusionauth.io/docs/sdks/).
+
+For a quick example, see [Get started with FusionAuth in 5 minutes](https://github.com/FusionAuth/fusionauth-example-5-minute-guide).
+
+{{< alert title="Base URL" color="tip" >}}
+
+When using the client ID and client secret, the base URL for your OAuth application is `https://auth.viam.com`.
+
+{{< /alert >}}
+
+## FAQ
+
+### Can I customize my login screen further?
+
+If you need further customization, please [contact us](mailto:[email protected]).