Eleven built-in identity providers
Enable only the providers your community uses. Each provider has its own client ID and server-only secret field, exact callback URL, readiness state, scope contract, and configuration-constant fallback.
- Apple
- Microsoft
- GitHub
- Discord
- X
- Amazon
- WordPress.com
- Custom OpenID Connect
No-code account policy
- Allow or block new account creation
- Respect the site registration policy
- Choose the role for new accounts
- Link an existing account only after a verified-email match
- Let members connect and unlink multiple providers
- Prevent a social-only member from removing the last sign-in method
- Choose session memory, redirect, button, error, and connection-panel copy
Security contract
Authorization Code flow uses 256-bit state, browser-bound state cookies, PKCE S256, and OpenID Connect nonce validation. Identity tokens use provider discovery and JWKS, RS256 signature checks, issuer, audience, authorized-party, expiration, not-before, and nonce validation. Callback, authorization, token, user-info, discovery, and JWKS endpoints must use HTTPS in production.
Member account connections
The builder-native Account Settings component can show connected and available providers. A member can add a backup sign-in method or unlink one without contacting an administrator, while lockout protection remains enforced server-side.
Provider keys
The site administrator creates the provider application and supplies its keys. BP Builder Addons provides the callback contract, secure protocol implementation, no-code configuration, documentation, diagnostics, and extension hooks. Apple uses a signed client-secret JWT generated from the Apple Team ID, Key ID, and private key.
