Skip to content

docs(cloud): social sign-in works on any custom domain (off-eTLD no longer requires BYOC)#1132

Merged
fitzergerald merged 2 commits into
masterfrom
docs/oidc-off-etld-social-signin-supported
Jun 30, 2026
Merged

docs(cloud): social sign-in works on any custom domain (off-eTLD no longer requires BYOC)#1132
fitzergerald merged 2 commits into
masterfrom
docs/oidc-off-etld-social-signin-supported

Conversation

@leecalcote

Copy link
Copy Markdown
Member

Summary

Layer5 Cloud's server-side OIDC state store (layer5io/meshery-cloud#5420) removes the off-eTLD limitation: a non-BYOC organization on a fully-custom domain can now complete Google/GitHub social sign-in against the deployment's default identity providers. Previously the OAuth buttons were hidden on such domains and BYOC was required to get social login.

This updates the user-facing guidance that asserted the old limitation.

Pages updated

  • white-labelingSocial sign-in on a custom domain: now works on any custom domain; BYOC reframed as optional (own consent-screen brand, OAuth rate limits/audit trail, corporate SSO, distinct authentication boundary), not a prerequisite for social login.
  • planning/identity-servicesWhen BYOC is optional vs. requiredBYOC is always optional; the off-eTLD host-class row and the security-boundary table corrected.
  • organizations/configuration-scenarios — the White-Label (Password-Only) scenario (which showed social buttons as hidden) renamed to White-Label (social sign-in works on shared providers); the old White-Label becomes White-Label + BYOC.

The identity provider is the security boundary framing is preserved throughout; BYOC remains a real, valid, now-purely-optional feature.

Coordination

Pairs with the meshery-cloud change that landed the server-side state store and removed the off-eTLD guard + the OAuth-button-hiding workaround.

…onger requires BYOC)

Layer5 Cloud's server-side OIDC state store (layer5io/meshery-cloud#5420)
removed the off-eTLD limitation: a non-BYOC organization on a fully-custom
domain can now complete Google/GitHub social sign-in against the
deployment's default identity providers. Update the user-facing guidance
that said the OAuth buttons are hidden / BYOC is required on a fully-custom
domain:

- white-labeling: social sign-in works on any custom domain; BYOC reframed
  as optional (brand, rate limits, SSO, distinct boundary), not a
  prerequisite for social login.
- planning/identity-services: 'BYOC is always optional'; off-eTLD host-class
  row + security-boundary table corrected.
- organizations/configuration-scenarios: 'White-Label (Password-Only)'
  scenario renamed to 'White-Label' (social sign-in works); old 'White-Label'
  becomes 'White-Label + BYOC'.

The identity-provider-is-the-security-boundary framing is preserved.

Signed-off-by: miacycle <184569369+miacycle@users.noreply.github.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the documentation to clarify that social sign-in (Google and GitHub) works out of the box on any custom domain using the deployment's default identity providers, making Bring Your Own Credentials (BYOC) always optional. The review feedback focuses on improving formatting consistency across the updated documentation files, specifically recommending the use of em-dashes with spaces instead of hyphens for parenthetical breaks, along with minor punctuation adjustments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread content/en/cloud/guides/organizations/configuration-scenarios/index.md Outdated
Comment thread content/en/cloud/guides/self-hosted/planning/identity-services/index.md Outdated
Comment thread content/en/cloud/guides/self-hosted/planning/identity-services/index.md Outdated
Comment thread content/en/cloud/guides/self-hosted/planning/identity-services/index.md Outdated
Comment thread content/en/cloud/guides/self-hosted/white-labeling/_index.md Outdated
Comment thread content/en/cloud/guides/self-hosted/white-labeling/_index.md Outdated
Comment thread content/en/cloud/guides/self-hosted/white-labeling/_index.md Outdated
Comment thread content/en/cloud/guides/self-hosted/white-labeling/_index.md Outdated
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
PR Preview Action v1.6.3
Preview removed because the pull request was closed.
2026-06-30 00:47 UTC

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: Lee Calcote <leecalcote@gmail.com>
@fitzergerald fitzergerald merged commit 96de0be into master Jun 30, 2026
2 of 4 checks passed
@fitzergerald fitzergerald deleted the docs/oidc-off-etld-social-signin-supported branch June 30, 2026 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants