External Identity Providers

Authenticate with Supabase, Firebase, Auth0, and other IdPs

External Identity Providers

CloudSignal integrates with popular identity providers for seamless authentication.

Supported Providers

  • Supabase - Full support with JWT verification
  • Firebase - Firebase Auth token validation
  • Auth0 - OIDC/JWT integration
  • Custom OIDC - Any OpenID Connect compliant provider

Supabase Integration

import { CloudSignalClient } from '@cloudsignal/mqtt-client';
import { createClient } from '@supabase/supabase-js';

const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);

const client = new CloudSignalClient({
  organizationId: 'your-org-id',
  externalAuth: {
    provider: 'supabase',
    getToken: async () => {
      const { data } = await supabase.auth.getSession();
      return data.session?.access_token;
    },
    getUserId: async () => {
      const { data } = await supabase.auth.getUser();
      return data.user?.id;
    }
  }
});

Firebase Integration

import { CloudSignalClient } from '@cloudsignal/mqtt-client';
import { getAuth } from 'firebase/auth';

const auth = getAuth();

const client = new CloudSignalClient({
  organizationId: 'your-org-id',
  externalAuth: {
    provider: 'firebase',
    getToken: async () => {
      const user = auth.currentUser;
      return user ? await user.getIdToken() : null;
    },
    getUserId: () => auth.currentUser?.uid
  }
});

Auth0 Integration

import { CloudSignalClient } from '@cloudsignal/mqtt-client';
import { useAuth0 } from '@auth0/auth0-react';

function useCloudSignal() {
  const { getAccessTokenSilently, user } = useAuth0();

  const client = new CloudSignalClient({
    organizationId: 'your-org-id',
    externalAuth: {
      provider: 'auth0',
      getToken: () => getAccessTokenSilently(),
      getUserId: () => user?.sub
    }
  });

  return client;
}

Custom OIDC Provider

For any OIDC-compliant provider:

const client = new CloudSignalClient({
  organizationId: 'your-org-id',
  externalAuth: {
    provider: 'oidc',
    issuer: 'https://your-idp.com',
    audience: 'cloudsignal',
    getToken: async () => {
      // Return JWT from your auth system
      return yourAuthSystem.getAccessToken();
    },
    getUserId: () => yourAuthSystem.getUserId()
  }
});

Backend Configuration

Register your IdP in CloudSignal dashboard:

  1. Go to Settings → Authentication
  2. Click Add Identity Provider
  3. Select provider type and enter:
    • JWKS URL (for JWT verification)
    • Issuer URL
    • Audience claim
  4. Map user claims to CloudSignal permissions

Token Refresh

External tokens are automatically refreshed using your getToken callback:

const client = new CloudSignalClient({
  organizationId: 'your-org-id',
  externalAuth: {
    provider: 'supabase',
    getToken: async () => {
      // This is called when token needs refresh
      const { data } = await supabase.auth.getSession();
      return data.session?.access_token;
    },
    refreshInterval: 55 * 60 * 1000  // Refresh every 55 minutes
  }
});

Handling Auth State Changes

React to authentication state changes:

// Supabase example
supabase.auth.onAuthStateChange((event, session) => {
  if (event === 'SIGNED_IN') {
    client.connect();
  } else if (event === 'SIGNED_OUT') {
    client.disconnect();
  }
});

Error Handling

client.on('auth:error', (error) => {
  if (error.code === 'TOKEN_EXPIRED') {
    // Redirect to login
    window.location.href = '/login';
  }
});