Relying Party
When Aero2 acts as a Relying Party (RP), it lets users sign in with external identity providers like GitHub or Google. These endpoints handle the OAuth2 flow with external IdPs.
See RP vs Provider for when Aero2 uses each role.
GET/rp/authorizeNo Auth
Initiates the OAuth flow with an external identity provider. Redirects the user to the provider's authorization endpoint.
| Parameter | Type | Description |
|---|---|---|
| idp* query | string | Identity provider name (e.g., "github"). Must match a configured IdP. |
| redirect_uri query | string | Where to redirect after login completes |
Response
HTTP 302 → Redirect to external IdP authorization endpoint
GET/rp/callback/:idpNo Auth
Handles the OAuth callback from an external IdP. Validates state (cookie + DB), exchanges code for token, fetches user info, creates/links local user, and establishes a session.
| Parameter | Type | Description |
|---|---|---|
| idp* path | string | The identity provider name (e.g., "github") |
| code* query | string | Authorization code from the external IdP |
| state* query | string | State parameter for CSRF validation |
Response
HTTP 302 → Redirect to dashboard (with session cookie set) or login on error
GET/rp/userinfoSession
Returns profile information for the currently authenticated user (via session cookie).
Response
{
"id": "user-uuid",
"email": "jane@example.com",
"name": "Jane Doe",
"picture": "https://avatars.githubusercontent.com/u/12345",
"roles": [
"user"
]
}Flow
- User visits
/rp/authorize?idp=github - Aero2 redirects to GitHub's authorization page
- GitHub redirects back to
/rp/callback/githubwith a code - Aero2 exchanges the code, fetches user info, and creates a local session
- User is redirected to the dashboard (or specified
redirect_uri)