Update OAuth setup documentation and settings template for Apple authentication

Xpirix · Xpirix · commit a7bb9ddc9d49 · 2026-04-08T14:31:51.000+03:00
diff --git a/docs/oauth-setup.md b/docs/oauth-setup.md
@@ -155,15 +155,28 @@ You need an Apple Developer account (<https://developer.apple.com>).
    - Provider: `Apple`
    - Client ID: the **Services ID** identifier (e.g. `org.qgis.plugins.web`)
    - Secret key: your **Team ID** (found top-right in the developer portal, 10 chars)
-   - Key: the **Key ID** shown on the key detail page (10-char identifier, not the `.p8` content)
-   - Settings: paste the following JSON, replacing the value with the full content of your `.p8` file with newlines as `\n`:
-     ```json
-     {
-       "certificate_key": "-----BEGIN PRIVATE KEY-----\nMIGH...\n-----END PRIVATE KEY-----"
-     }
-     ```
+   - Key: paste the full content of the downloaded `.p8` file
+
+   django-allauth uses the Team ID + Key ID + `.p8` content to generate a JWT client secret dynamically. You also need to set **Key ID** in `qgis-app/settings_local.py` (copy from `settings_local.py.templ`):
+
+   ```python
+   SOCIALACCOUNT_PROVIDERS = {
+       "apple": {
+           "APP": {
+               "client_id": "org.qgis.plugins.web",
+               "secret": "TEAM_ID",
+               "key": "KEY_ID",
+               "settings": {
+                   "certificate_key": """-----BEGIN PRIVATE KEY-----
+   ...your .p8 content here...
+   -----END PRIVATE KEY-----"""
+               }
+           }
+       },
+   }
+   ```
 
-   django-allauth uses the Team ID + Key ID + `.p8` content to generate a JWT client secret dynamically. All credentials are stored in the database via Admin — no changes to `settings_local.py` are required for Apple.
+   The other fields (Client ID = Services ID, Secret key = Team ID) can also be stored in the DB via Admin as a fallback, but the `certificate_key` must be in settings.
 
 ---
 
diff --git a/qgis-app/settings_local.py.templ b/qgis-app/settings_local.py.templ
@@ -7,3 +7,44 @@ EMAIL_HOST_USER = "resend"
 EMAIL_HOST_PASSWORD = ""
 EMAIL_SUBJECT_PREFIX = '[QGIS Plugins] '
 DEFAULT_FROM_EMAIL = 'no-reply-plugins@qgis.org'
+
+# -----------------------------------------------------------------------------
+# Social authentication — provider overrides
+# Only add the sections for providers you are configuring.
+# Credentials (Client ID / Secret) are stored in Django Admin, not here.
+# See docs/oauth-setup.md for full setup instructions.
+# -----------------------------------------------------------------------------
+
+SOCIALACCOUNT_PROVIDERS = {
+
+    # GitLab — only needed when connecting to a self-hosted instance.
+    # Remove or leave commented out to use gitlab.com (the default).
+    "gitlab": {
+        "GITLAB_URL": "https://your-gitlab.example.com",
+        "SCOPE": ["read_user"],
+    },
+
+    # Microsoft — set a specific tenant ID to restrict login to one
+    # organisation. Use "common" (default) to allow any Microsoft account.
+    "microsoft": {
+        "tenant": "common",   # or your Directory (tenant) ID
+        "SCOPE": ["User.Read"],
+    },
+
+    # Apple — certificate_key is the content of the .p8 file downloaded
+    # from the Apple Developer portal. key is the Key ID (10 chars).
+    # client_id and secret (Team ID) are stored in Django Admin.
+    "apple": {
+        "APP": {
+            "client_id": "org.your.bundle.web",
+            "secret": "TEAM_ID_10CHARS",
+            "key": "KEY_ID_10CHARS",
+            "settings": {
+                "certificate_key": """-----BEGIN PRIVATE KEY-----
+<paste .p8 content here>
+-----END PRIVATE KEY-----"""
+            },
+        }
+    },
+}
+
