Single Sign-On
Configure SSO with Clerk-powered authentication including OAuth providers, session management, and organization-level access control
Flow uses Clerk as its authentication and identity platform, providing enterprise-grade single sign-on (SSO) capabilities out of the box. Users authenticate through Clerk's managed sign-in flow with support for multiple OAuth providers and organization-level access control.
Overview
Flow's SSO integration provides:
- Managed Authentication - Clerk handles all authentication flows securely
- OAuth Providers - Sign in with Google, GitHub, Microsoft, and other providers
- Session Management - Secure session handling with automatic refresh
- Organization Sync - Automatic provisioning of users and organizations
- Role-Based Access - User roles synced between Clerk and Flow
Authentication Flow
Sign Up
- Navigate to the Flow sign-up page
- Choose an authentication method:
- Email/Password - Traditional credential-based sign-up
- OAuth Provider - Sign in with Google, GitHub, or other configured providers
- Complete email verification if required
- Clerk creates the user identity and session
- Flow automatically provisions the user record and organization
Sign In
- Navigate to the Flow sign-in page
- Authenticate using your configured method
- Clerk validates credentials and establishes a session
- Flow loads the user's organization context and permissions
Session Management
- Sessions are managed by Clerk with secure token handling
- Automatic token refresh ensures uninterrupted access
- Sessions expire based on configured timeout policies
- Users can sign out from any device
Organization Provisioning
When a user signs in for the first time, Flow automatically:
- Checks if the user exists in Flow's database
- Creates or updates the user record with Clerk identity data
- Associates the user with their organization
- Assigns the appropriate role (Admin for first user, configurable for subsequent users)
Data Synced from Clerk
| Field | Description |
|---|---|
| Clerk ID | Unique identifier from Clerk |
| User's email address | |
| Name | Display name |
| Organization | Associated organization |
| Role | Assigned role within Flow |
Supported Providers
Clerk supports a wide range of OAuth providers that can be configured for your Flow deployment:
- Google - Google Workspace and personal accounts
- GitHub - Developer-focused authentication
- Microsoft - Azure AD and Microsoft accounts
- Apple - Apple ID authentication
- Additional Providers - Configurable through Clerk's dashboard
Configuring Providers
OAuth providers are configured through the Clerk Dashboard:
- Navigate to your Clerk application settings
- Enable desired OAuth providers under Social Connections
- Configure client IDs and secrets for each provider
- Set redirect URLs to your Flow deployment
- Users will see enabled providers on the sign-in page
Security Features
Built-in Protections
- CSRF Protection - Cross-site request forgery prevention on all auth endpoints
- Rate Limiting - Protection against brute force and credential stuffing
- Secure Sessions - HttpOnly, Secure, SameSite cookie configuration
- Token Rotation - Automatic rotation of session tokens
Multi-Factor Authentication
Clerk supports MFA options that can be enabled for your organization:
- TOTP - Time-based one-time passwords (Google Authenticator, Authy)
- SMS - SMS-based verification codes
- Backup Codes - Recovery codes for account access
Best Practices
- Enable MFA - Require multi-factor authentication for all users, especially administrators
- Use OAuth - Prefer OAuth providers over email/password for enterprise environments
- Review Sessions - Periodically audit active sessions and revoke stale access
- Least Privilege - Assign the minimum role needed for each user's responsibilities
- Monitor Sign-ins - Review Clerk's authentication logs for suspicious activity