docs(cloud): social sign-in works on any custom domain (off-eTLD no longer requires BYOC)#1132
Conversation
…onger requires BYOC) Layer5 Cloud's server-side OIDC state store (layer5io/meshery-cloud#5420) removed the off-eTLD limitation: a non-BYOC organization on a fully-custom domain can now complete Google/GitHub social sign-in against the deployment's default identity providers. Update the user-facing guidance that said the OAuth buttons are hidden / BYOC is required on a fully-custom domain: - white-labeling: social sign-in works on any custom domain; BYOC reframed as optional (brand, rate limits, SSO, distinct boundary), not a prerequisite for social login. - planning/identity-services: 'BYOC is always optional'; off-eTLD host-class row + security-boundary table corrected. - organizations/configuration-scenarios: 'White-Label (Password-Only)' scenario renamed to 'White-Label' (social sign-in works); old 'White-Label' becomes 'White-Label + BYOC'. The identity-provider-is-the-security-boundary framing is preserved. Signed-off-by: miacycle <184569369+miacycle@users.noreply.github.com>
There was a problem hiding this comment.
Code Review
This pull request updates the documentation to clarify that social sign-in (Google and GitHub) works out of the box on any custom domain using the deployment's default identity providers, making Bring Your Own Credentials (BYOC) always optional. The review feedback focuses on improving formatting consistency across the updated documentation files, specifically recommending the use of em-dashes with spaces instead of hyphens for parenthetical breaks, along with minor punctuation adjustments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Lee Calcote <leecalcote@gmail.com>
Summary
Layer5 Cloud's server-side OIDC state store (layer5io/meshery-cloud#5420) removes the off-eTLD limitation: a non-BYOC organization on a fully-custom domain can now complete Google/GitHub social sign-in against the deployment's default identity providers. Previously the OAuth buttons were hidden on such domains and BYOC was required to get social login.
This updates the user-facing guidance that asserted the old limitation.
Pages updated
Social sign-in on a custom domain: now works on any custom domain; BYOC reframed as optional (own consent-screen brand, OAuth rate limits/audit trail, corporate SSO, distinct authentication boundary), not a prerequisite for social login.When BYOC is optional vs. required→BYOC is always optional; the off-eTLD host-class row and the security-boundary table corrected.White-Label (Password-Only)scenario (which showed social buttons as hidden) renamed toWhite-Label(social sign-in works on shared providers); the oldWhite-LabelbecomesWhite-Label + BYOC.The identity provider is the security boundary framing is preserved throughout; BYOC remains a real, valid, now-purely-optional feature.
Coordination
Pairs with the meshery-cloud change that landed the server-side state store and removed the off-eTLD guard + the OAuth-button-hiding workaround.