From 32d19cbe7c583a2c53f59181839065cbf7ab55b6 Mon Sep 17 00:00:00 2001
From: Riccardo Graziosi <31478034+riggraz@users.noreply.github.com>
Date: Tue, 5 Mar 2024 18:13:16 +0100
Subject: [PATCH] Add the possibility to enable/disable default OAuths (#303)

---
 app/assets/stylesheets/common/_index.scss     |  10 +-
 .../SiteSettings/Authentication/index.scss    |   6 +
 .../stylesheets/components/TenantSignUp.scss  |   4 +
 app/controllers/likes_controller.rb           |   2 +-
 app/controllers/o_auths_controller.rb         |  40 ++++--
 .../tenant_default_o_auths_controller.rb      |  35 ++++++
 app/controllers/tenants_controller.rb         |   5 +-
 .../actions/OAuth/updateDefaultOAuth.ts       |  75 ++++++++++++
 .../AuthenticationIndexPage.tsx               |   3 +
 .../AuthenticationSiteSettingsP.tsx           |   7 ++
 .../Authentication/OAuthProviderItem.tsx      |  87 +++++++------
 .../Authentication/OAuthProvidersList.tsx     |   3 +
 .../components/TenantSignUp/TenantSignUpP.tsx |  26 ++--
 .../TenantSignUp/UserSignUpForm.tsx           | 114 ++++++++++--------
 .../common/CopyToClipboardButton.tsx          |   3 +-
 .../containers/AuthenticationSiteSettings.tsx |   5 +
 app/javascript/interfaces/IOAuth.ts           |   4 +
 app/javascript/reducers/oAuthsReducer.ts      |  19 ++-
 app/models/o_auth.rb                          |  23 +++-
 app/models/tenant.rb                          |   7 +-
 app/models/tenant_default_o_auth.rb           |  11 ++
 ...exchange_auth_code_for_profile_workflow.rb |  24 ++--
 app/workflows/o_auth_sign_in_user_workflow.rb |   1 -
 config/routes.rb                              |   4 +-
 ...303103945_create_tenant_default_o_auths.rb |  10 ++
 db/schema.rb                                  |  13 +-
 spec/factories/o_auths.rb                     |  15 +++
 spec/factories/tenant_default_o_auths.rb      |   6 +
 spec/models/tenant_default_o_auth_spec.rb     |  14 +++
 .../site_settings_authentication_spec.rb      |  14 +++
 spec/system/user_o_auth_sign_up_and_log_in.rb |  49 ++++++++
 31 files changed, 508 insertions(+), 131 deletions(-)
 create mode 100644 app/controllers/tenant_default_o_auths_controller.rb
 create mode 100644 app/javascript/actions/OAuth/updateDefaultOAuth.ts
 create mode 100644 app/models/tenant_default_o_auth.rb
 create mode 100644 db/migrate/20240303103945_create_tenant_default_o_auths.rb
 create mode 100644 spec/factories/tenant_default_o_auths.rb
 create mode 100644 spec/models/tenant_default_o_auth_spec.rb
 create mode 100644 spec/system/user_o_auth_sign_up_and_log_in.rb

diff --git a/app/assets/stylesheets/common/_index.scss b/app/assets/stylesheets/common/_index.scss
index 27249b76..bc8b4bee 100644
--- a/app/assets/stylesheets/common/_index.scss
+++ b/app/assets/stylesheets/common/_index.scss
@@ -269,7 +269,15 @@ body {
     .btn-block,
     .btn-outline-dark,
     .mt-2,
-    .mb-2;
+    .mb-2,
+    .p-0;
+
+  height: 38px;
+
+  &:hover {
+    background-color: white;
+    color: var(--astuto-black);
+  }
 
   .oauthProviderText {
     @extend .ml-2;
diff --git a/app/assets/stylesheets/components/SiteSettings/Authentication/index.scss b/app/assets/stylesheets/components/SiteSettings/Authentication/index.scss
index 2b28fa0a..0292d7a7 100644
--- a/app/assets/stylesheets/components/SiteSettings/Authentication/index.scss
+++ b/app/assets/stylesheets/components/SiteSettings/Authentication/index.scss
@@ -38,6 +38,12 @@
 
         align-self: center;
       }
+
+      .defaultOAuthDiv {
+        @extend .d-flex;
+
+        .defaultOAuthLabel { @extend .align-self-center; }
+      }
     }
   }
 }
diff --git a/app/assets/stylesheets/components/TenantSignUp.scss b/app/assets/stylesheets/components/TenantSignUp.scss
index 335173f5..f77644c0 100644
--- a/app/assets/stylesheets/components/TenantSignUp.scss
+++ b/app/assets/stylesheets/components/TenantSignUp.scss
@@ -10,6 +10,10 @@
     text-align: center;
     margin-bottom: 16px;
   }
+
+  .emailAuth {
+    @extend .mt-2, .mb-2;
+  }
   
   .userConfirm, .tenantConfirm {
     display: block;
diff --git a/app/controllers/likes_controller.rb b/app/controllers/likes_controller.rb
index 091e9188..f87210f4 100644
--- a/app/controllers/likes_controller.rb
+++ b/app/controllers/likes_controller.rb
@@ -11,7 +11,7 @@ class LikesController < ApplicationController
       .left_outer_joins(:user)
       .where(post_id: params[:post_id])
 
-      render json: likes
+    render json: likes
   end
 
   def create
diff --git a/app/controllers/o_auths_controller.rb b/app/controllers/o_auths_controller.rb
index f5837ee6..3a618271 100644
--- a/app/controllers/o_auths_controller.rb
+++ b/app/controllers/o_auths_controller.rb
@@ -5,12 +5,16 @@ class OAuthsController < ApplicationController
 
   before_action :authenticate_admin, only: [:index, :create, :update, :destroy]
 
-  TOKEN_STATE_SEPARATOR = '-'
+  TOKEN_STATE_SEPARATOR = ','
 
   # [subdomain.]base_url/o_auths/:id/start?reason=login|test|tenantsignup
   # Generates authorize url with required parameters and redirects to provider
   def start
-    @o_auth = OAuth.unscoped.include_defaults.find(params[:id])
+    if params[:reason] == 'tenantsignup'
+      @o_auth = OAuth.include_only_defaults.find(params[:id])
+    else
+      @o_auth = OAuth.include_defaults.find(params[:id])
+    end
     
     return if params[:reason] != 'test' and not @o_auth.is_enabled?
 
@@ -31,15 +35,17 @@ class OAuthsController < ApplicationController
     return unless cookies[:token_state] == params[:state]
     cookies.delete(:token_state, domain: ".#{request.domain}")
 
-    @o_auth = OAuth.unscoped.include_defaults.find(params[:id])
+    # if it is a default oauth, tenant is not yet set
+    Current.tenant ||= Tenant.find_by(subdomain: tenant_domain)
+
+    if reason == 'tenantsignup'
+      @o_auth = OAuth.include_only_defaults.find(params[:id])
+    else
+      @o_auth = OAuth.include_defaults.find(params[:id])
+    end
 
     return if reason != 'test' and not @o_auth.is_enabled?
 
-    # If it is a default OAuth we need to set the tenant
-    if @o_auth.is_default?
-      Current.tenant = Tenant.find_by(subdomain: tenant_domain)
-    end
-
     user_profile = OAuthExchangeAuthCodeForProfileWorkflow.new(
       authorization_code: params[:code],
       o_auth: @o_auth
@@ -80,12 +86,20 @@ class OAuthsController < ApplicationController
 
     elsif reason == 'tenantsignup'
 
-      @o_auths = []
+      @o_auths = @o_auths = OAuth.unscoped.where(tenant_id: nil, is_enabled: true)
+
       @user_email = query_path_from_object(user_profile, @o_auth.json_user_email_path)
       if not @o_auth.json_user_name_path.blank?
         @user_name = query_path_from_object(user_profile, @o_auth.json_user_name_path)
       end
-      @o_auth_login_completed = true
+
+      @o_auth_login_completed = (not @user_email.blank?)
+
+      if not @o_auth_login_completed
+        flash[:alert] = I18n.t('errors.o_auth_login_error', name: @o_auth.name)
+        redirect_to signup_url
+        return
+      end
 
       session[:o_auth_sign_up] = "#{@user_email},#{@user_name}"
 
@@ -124,7 +138,9 @@ class OAuthsController < ApplicationController
   def index
     authorize OAuth
 
-    @o_auths = OAuth.include_defaults.order(created_at: :asc)
+    @o_auths = OAuth
+      .include_all_defaults
+      .order(tenant_id: :asc, created_at: :asc)
 
     render json: to_json_custom(@o_auths)
   end
@@ -175,7 +191,7 @@ class OAuthsController < ApplicationController
 
     def to_json_custom(o_auth)
       o_auth.as_json(
-        methods: :callback_url,
+        methods: [:callback_url, :default_o_auth_is_enabled],
         except: [:client_secret]
       )
     end
diff --git a/app/controllers/tenant_default_o_auths_controller.rb b/app/controllers/tenant_default_o_auths_controller.rb
new file mode 100644
index 00000000..4c6bf5b9
--- /dev/null
+++ b/app/controllers/tenant_default_o_auths_controller.rb
@@ -0,0 +1,35 @@
+class TenantDefaultOAuthsController < ApplicationController
+  include ApplicationHelper
+
+  before_action :authenticate_admin, only: [:create, :destroy]
+
+  def create
+    enabled_default_oauth = TenantDefaultOAuth.new(o_auth_id: params[:o_auth_id])
+
+    if enabled_default_oauth.save
+      render json: {
+        id: params[:o_auth_id]
+      }, status: :created
+    else
+      render json: {
+        error: enabled_default_oauth.errors.full_messages
+      }, status: :unprocessable_entity
+    end
+  end
+
+  def destroy
+    enabled_default_oauth = TenantDefaultOAuth.find_by(o_auth_id: params[:o_auth_id])
+    
+    return if enabled_default_oauth.nil?
+
+    if enabled_default_oauth.destroy
+      render json: {
+        id: params[:o_auth_id],
+      }, status: :accepted
+    else
+      render json: {
+        error: enabled_default_oauth.errors.full_messages
+      }, status: :unprocessable_entity
+    end
+  end
+end
diff --git a/app/controllers/tenants_controller.rb b/app/controllers/tenants_controller.rb
index f9cc2519..71eff183 100644
--- a/app/controllers/tenants_controller.rb
+++ b/app/controllers/tenants_controller.rb
@@ -5,7 +5,7 @@ class TenantsController < ApplicationController
 
   def new
     @page_title = "Create your feedback space"
-    @o_auths = OAuth.unscoped.where(tenant_id: nil)
+    @o_auths = OAuth.unscoped.where(tenant_id: nil, is_enabled: true)
   end
 
   def show
@@ -46,6 +46,9 @@ class TenantsController < ApplicationController
       @user.save!
 
       CreateWelcomeEntitiesWorkflow.new().run
+      OAuth.include_only_defaults.each do |o_auth|
+        TenantDefaultOAuth.create(o_auth_id: o_auth.id)
+      end
 
       logger.info { "New tenant registration: #{Current.tenant.inspect}" }
 
diff --git a/app/javascript/actions/OAuth/updateDefaultOAuth.ts b/app/javascript/actions/OAuth/updateDefaultOAuth.ts
new file mode 100644
index 00000000..5fae726e
--- /dev/null
+++ b/app/javascript/actions/OAuth/updateDefaultOAuth.ts
@@ -0,0 +1,75 @@
+import { Action } from "redux";
+import { ThunkAction } from "redux-thunk";
+
+import { IOAuthJSON } from "../../interfaces/IOAuth";
+import { State } from "../../reducers/rootReducer";
+import buildRequestHeaders from "../../helpers/buildRequestHeaders";
+import HttpStatus from "../../constants/http_status";
+
+export const DEFAULT_OAUTH_UPDATE_START = 'DEFAULT_OAUTH_UPDATE_START';
+interface DefaultOAuthUpdateStartAction {
+  type: typeof DEFAULT_OAUTH_UPDATE_START;
+}
+
+export const DEFAULT_OAUTH_UPDATE_SUCCESS = 'DEFAULT_OAUTH_UPDATE_SUCCESS';
+interface DefaultOAuthUpdateSuccessAction {
+  type: typeof DEFAULT_OAUTH_UPDATE_SUCCESS;
+  id: number;
+  isEnabled: boolean;
+}
+
+export const DEFAULT_OAUTH_UPDATE_FAILURE = 'DEFAULT_OAUTH_UPDATE_FAILURE';
+interface DefaultOAuthUpdateFailureAction {
+  type: typeof DEFAULT_OAUTH_UPDATE_FAILURE;
+  error: string;
+}
+
+export type DefaultOAuthUpdateActionTypes =
+  DefaultOAuthUpdateStartAction |
+  DefaultOAuthUpdateSuccessAction |
+  DefaultOAuthUpdateFailureAction;
+
+const defaultOAuthUpdateStart = (): DefaultOAuthUpdateStartAction => ({
+  type: DEFAULT_OAUTH_UPDATE_START,
+});
+
+const defaultOAuthUpdateSuccess = (
+  id: number,
+  isEnabled: boolean,
+): DefaultOAuthUpdateSuccessAction => ({
+  type: DEFAULT_OAUTH_UPDATE_SUCCESS,
+  id,
+  isEnabled,
+});
+
+const defaultOAuthUpdateFailure = (error: string): DefaultOAuthUpdateFailureAction => ({
+  type: DEFAULT_OAUTH_UPDATE_FAILURE,
+  error,
+});
+
+interface UpdateDefaultOAuthParams {
+  id: number;
+  isEnabled?: boolean;
+  authenticityToken: string;
+}
+
+export const updateDefaultOAuth = ({
+  id,
+  isEnabled = null,
+  authenticityToken,
+}: UpdateDefaultOAuthParams): ThunkAction<void, State, null, Action<string>> => async (dispatch) => {
+  try {
+    dispatch(defaultOAuthUpdateStart());
+
+    const res = await fetch(`/o_auths/${id}/tenant_default_o_auths`, {
+      method: isEnabled ? 'POST' : 'DELETE',
+      headers: buildRequestHeaders(authenticityToken),
+    });
+    await res.json();
+
+    if (res.status === HttpStatus.Created || res.status === HttpStatus.Accepted)
+      dispatch(defaultOAuthUpdateSuccess(id, isEnabled));
+  } catch (e) {
+    console.log('An error occurred while enabling/disabling default OAuth');
+  }
+};
\ No newline at end of file
diff --git a/app/javascript/components/SiteSettings/Authentication/AuthenticationIndexPage.tsx b/app/javascript/components/SiteSettings/Authentication/AuthenticationIndexPage.tsx
index 1a98720d..66452566 100644
--- a/app/javascript/components/SiteSettings/Authentication/AuthenticationIndexPage.tsx
+++ b/app/javascript/components/SiteSettings/Authentication/AuthenticationIndexPage.tsx
@@ -15,6 +15,7 @@ interface Props {
   submitError: string;
 
   handleToggleEnabledOAuth(id: number, enabled: boolean): void;
+  handleToggleEnabledDefaultOAuth(id: number, enabled: boolean): void;
   handleDeleteOAuth(id: number): void;
 
   setPage: React.Dispatch<React.SetStateAction<AuthenticationPages>>;
@@ -27,6 +28,7 @@ const AuthenticationIndexPage = ({
   submitError,
 
   handleToggleEnabledOAuth,
+  handleToggleEnabledDefaultOAuth,
   handleDeleteOAuth,
 
   setPage,
@@ -48,6 +50,7 @@ const AuthenticationIndexPage = ({
       <OAuthProvidersList
         oAuths={oAuths.items}
         handleToggleEnabledOAuth={handleToggleEnabledOAuth}
+        handleToggleEnabledDefaultOAuth={handleToggleEnabledDefaultOAuth}
         handleDeleteOAuth={handleDeleteOAuth}
         setPage={setPage}
         setSelectedOAuth={setSelectedOAuth}
diff --git a/app/javascript/components/SiteSettings/Authentication/AuthenticationSiteSettingsP.tsx b/app/javascript/components/SiteSettings/Authentication/AuthenticationSiteSettingsP.tsx
index 05051a06..b414b3d5 100644
--- a/app/javascript/components/SiteSettings/Authentication/AuthenticationSiteSettingsP.tsx
+++ b/app/javascript/components/SiteSettings/Authentication/AuthenticationSiteSettingsP.tsx
@@ -16,6 +16,7 @@ interface Props {
   onSubmitOAuth(oAuth: IOAuth, authenticityToken: string): Promise<any>;
   onUpdateOAuth(id: number, form: ISiteSettingsOAuthForm, authenticityToken: string): Promise<any>;
   onToggleEnabledOAuth(id: number, isEnabled: boolean, authenticityToken: string): void;
+  onToggleEnabledDefaultOAuth(id: number, isEnabled: boolean, authenticityToken: string): void;
   onDeleteOAuth(id: number, authenticityToken: string): void;
 
   isSubmitting: boolean;
@@ -32,6 +33,7 @@ const AuthenticationSiteSettingsP = ({
   onSubmitOAuth,
   onUpdateOAuth,
   onToggleEnabledOAuth,
+  onToggleEnabledDefaultOAuth,
   onDeleteOAuth,
   isSubmitting,
   submitError,
@@ -58,6 +60,10 @@ const AuthenticationSiteSettingsP = ({
     onToggleEnabledOAuth(id, enabled, authenticityToken);
   };
 
+  const handleToggleEnabledDefaultOAuth = (id: number, enabled: boolean) => {
+    onToggleEnabledDefaultOAuth(id, enabled, authenticityToken);
+  };
+
   const handleDeleteOAuth = (id: number) => {
     onDeleteOAuth(id, authenticityToken);
   };
@@ -67,6 +73,7 @@ const AuthenticationSiteSettingsP = ({
       <AuthenticationIndexPage
         oAuths={oAuths}
         handleToggleEnabledOAuth={handleToggleEnabledOAuth}
+        handleToggleEnabledDefaultOAuth={handleToggleEnabledDefaultOAuth}
         handleDeleteOAuth={handleDeleteOAuth}
         setPage={setPage}
         setSelectedOAuth={setSelectedOAuth}
diff --git a/app/javascript/components/SiteSettings/Authentication/OAuthProviderItem.tsx b/app/javascript/components/SiteSettings/Authentication/OAuthProviderItem.tsx
index 23b4cbba..99d20c78 100644
--- a/app/javascript/components/SiteSettings/Authentication/OAuthProviderItem.tsx
+++ b/app/javascript/components/SiteSettings/Authentication/OAuthProviderItem.tsx
@@ -12,6 +12,7 @@ import { MutedText } from '../../common/CustomTexts';
 interface Props {
   oAuth: IOAuth;
   handleToggleEnabledOAuth(id: number, enabled: boolean): void;
+  handleToggleEnabledDefaultOAuth(id: number, enabled: boolean): void;
   handleDeleteOAuth(id: number): void;
   setPage: React.Dispatch<React.SetStateAction<AuthenticationPages>>;
   setSelectedOAuth: React.Dispatch<React.SetStateAction<number>>;
@@ -20,6 +21,7 @@ interface Props {
 const OAuthProviderItem = ({
   oAuth,
   handleToggleEnabledOAuth,
+  handleToggleEnabledDefaultOAuth,
   handleDeleteOAuth,
   setPage,
   setSelectedOAuth,
@@ -41,48 +43,59 @@ const OAuthProviderItem = ({
               />
             </div>
             :
-            <div><MutedText>{I18n.t('site_settings.authentication.default_oauth')}</MutedText></div>
+            <div className="oAuthIsEnabled">
+              <Switch
+                label={I18n.t(`common.${oAuth.isEnabled ? 'enabled' : 'disabled'}`)}
+                onClick={() => handleToggleEnabledDefaultOAuth(oAuth.id, !oAuth.defaultOAuthIsEnabled)}
+                checked={oAuth.defaultOAuthIsEnabled}
+                htmlId={`oAuth${oAuth.name}EnabledSwitch`}
+              />
+            </div>
         }
       </div>
     </div>
 
     {
-      oAuth.tenantId &&
-      <div className="oAuthActions">
-        <CopyToClipboardButton
-          label={I18n.t('site_settings.authentication.copy_url')}
-          textToCopy={oAuth.callbackUrl}
-        />
-        
-        <ActionLink
-          onClick={() =>
-            window.open(`/o_auths/${oAuth.id}/start?reason=test`, '', 'width=640, height=640')
-          }
-          icon={<TestIcon />}
-          customClass='testAction'
-        >
-          {I18n.t('common.buttons.test')}
-        </ActionLink>
-        
-        <ActionLink
-          onClick={() => {
-            setSelectedOAuth(oAuth.id);
-            setPage('edit');
-          }}
-          icon={<EditIcon />}
-          customClass='editAction'
-        >
-          {I18n.t('common.buttons.edit')}
-        </ActionLink>
-        
-        <ActionLink
-          onClick={() => confirm(I18n.t('common.confirmation')) && handleDeleteOAuth(oAuth.id)}
-          icon={<DeleteIcon />}
-          customClass='deleteAction'
-        >
-          {I18n.t('common.buttons.delete')}
-        </ActionLink>
-      </div>
+      oAuth.tenantId ?
+        <div className="oAuthActions">
+          <CopyToClipboardButton
+            label={I18n.t('site_settings.authentication.copy_url')}
+            textToCopy={oAuth.callbackUrl}
+          />
+          
+          <ActionLink
+            onClick={() =>
+              window.open(`/o_auths/${oAuth.id}/start?reason=test`, '', 'width=640, height=640')
+            }
+            icon={<TestIcon />}
+            customClass='testAction'
+          >
+            {I18n.t('common.buttons.test')}
+          </ActionLink>
+          
+          <ActionLink
+            onClick={() => {
+              setSelectedOAuth(oAuth.id);
+              setPage('edit');
+            }}
+            icon={<EditIcon />}
+            customClass='editAction'
+          >
+            {I18n.t('common.buttons.edit')}
+          </ActionLink>
+          
+          <ActionLink
+            onClick={() => confirm(I18n.t('common.confirmation')) && handleDeleteOAuth(oAuth.id)}
+            icon={<DeleteIcon />}
+            customClass='deleteAction'
+          >
+            {I18n.t('common.buttons.delete')}
+          </ActionLink>
+        </div>
+      :
+        <div className="defaultOAuthDiv">
+          <span className="defaultOAuthLabel"><MutedText>{I18n.t('site_settings.authentication.default_oauth')}</MutedText></span>
+        </div>
     }
   </li>
 );
diff --git a/app/javascript/components/SiteSettings/Authentication/OAuthProvidersList.tsx b/app/javascript/components/SiteSettings/Authentication/OAuthProvidersList.tsx
index 9a9e4916..7271f6d7 100644
--- a/app/javascript/components/SiteSettings/Authentication/OAuthProvidersList.tsx
+++ b/app/javascript/components/SiteSettings/Authentication/OAuthProvidersList.tsx
@@ -9,6 +9,7 @@ import OAuthProviderItem from './OAuthProviderItem';
 interface Props {
   oAuths: Array<IOAuth>;
   handleToggleEnabledOAuth(id: number, enabled: boolean): void;
+  handleToggleEnabledDefaultOAuth(id: number, enabled: boolean): void;
   handleDeleteOAuth(id: number): void;
   setPage: React.Dispatch<React.SetStateAction<AuthenticationPages>>;
   setSelectedOAuth: React.Dispatch<React.SetStateAction<number>>;
@@ -17,6 +18,7 @@ interface Props {
 const OAuthProvidersList = ({
   oAuths,
   handleToggleEnabledOAuth,
+  handleToggleEnabledDefaultOAuth,
   handleDeleteOAuth,
   setPage,
   setSelectedOAuth,
@@ -35,6 +37,7 @@ const OAuthProvidersList = ({
           <OAuthProviderItem
             oAuth={oAuth}
             handleToggleEnabledOAuth={handleToggleEnabledOAuth}
+            handleToggleEnabledDefaultOAuth={handleToggleEnabledDefaultOAuth}
             handleDeleteOAuth={handleDeleteOAuth}
             setPage={setPage}
             setSelectedOAuth={setSelectedOAuth}
diff --git a/app/javascript/components/TenantSignUp/TenantSignUpP.tsx b/app/javascript/components/TenantSignUp/TenantSignUpP.tsx
index 7f9b8a44..96a9c3f6 100644
--- a/app/javascript/components/TenantSignUp/TenantSignUpP.tsx
+++ b/app/javascript/components/TenantSignUp/TenantSignUpP.tsx
@@ -45,6 +45,8 @@ export interface ITenantSignUpTenantForm {
   subdomain: string;
 }
 
+export type AuthMethod = 'none' | 'email' | 'oauth';
+
 const TenantSignUpP = ({
   oAuths,
   oAuthLoginCompleted,
@@ -58,9 +60,12 @@ const TenantSignUpP = ({
   baseUrl,
   authenticityToken
 }: Props) => {
+  // authMethod is either 'none', 'email' or 'oauth'
+  const [authMethod, setAuthMethod] = useState<AuthMethod>(oAuthLoginCompleted ? 'oauth' : 'none');
+
   const [userData, setUserData] = useState({
-    fullName: '',
-    email: '',
+    fullName: oAuthLoginCompleted ? oauthUserName : '',
+    email: oAuthLoginCompleted ? oauthUserEmail : '',
     password: '',
     passwordConfirmation: '',
   });
@@ -72,20 +77,18 @@ const TenantSignUpP = ({
 
   const [currentStep, setCurrentStep] = useState(oAuthLoginCompleted ? 2 : 1);
 
-  const [emailAuth, setEmailAuth] = useState(false);
-
   const handleSignUpSubmit = (siteName: string, subdomain: string) => {
     handleSubmit(
-      oAuthLoginCompleted ? oauthUserName : userData.fullName,
-      oAuthLoginCompleted ? oauthUserEmail : userData.email,
+      userData.fullName,
+      userData.email,
       userData.password,
       siteName,
       subdomain,
-      oAuthLoginCompleted,
+      authMethod == 'oauth',
       authenticityToken,
     ).then(res => {
       if (res?.status !== HttpStatus.Created) return;
-      if (oAuthLoginCompleted) {
+      if (authMethod == 'oauth') {
         let redirectUrl = new URL(baseUrl);
         redirectUrl.hostname = `${subdomain}.${redirectUrl.hostname}`;
         window.location.href = `${redirectUrl.toString()}users/sign_in`;
@@ -107,12 +110,9 @@ const TenantSignUpP = ({
           <UserSignUpForm
             currentStep={currentStep}
             setCurrentStep={setCurrentStep}
-            emailAuth={emailAuth}
-            setEmailAuth={setEmailAuth}
+            authMethod={authMethod}
+            setAuthMethod={setAuthMethod}
             oAuths={oAuths}
-            oAuthLoginCompleted={oAuthLoginCompleted}
-            oauthUserEmail={oauthUserEmail}
-            oauthUserName={oauthUserName}
             userData={userData}
             setUserData={setUserData}
           />
diff --git a/app/javascript/components/TenantSignUp/UserSignUpForm.tsx b/app/javascript/components/TenantSignUp/UserSignUpForm.tsx
index 0b801d97..9ca2ebb7 100644
--- a/app/javascript/components/TenantSignUp/UserSignUpForm.tsx
+++ b/app/javascript/components/TenantSignUp/UserSignUpForm.tsx
@@ -5,7 +5,7 @@ import I18n from 'i18n-js';
 import Box from '../common/Box';
 import Button from '../common/Button';
 import OAuthProviderLink from '../common/OAuthProviderLink';
-import { ITenantSignUpUserForm } from './TenantSignUpP';
+import { AuthMethod, ITenantSignUpUserForm } from './TenantSignUpP';
 import { DangerText } from '../common/CustomTexts';
 import { getLabel, getValidationMessage } from '../../helpers/formUtils';
 import { EMAIL_REGEX } from '../../constants/regex';
@@ -16,12 +16,9 @@ import { BackIcon, EditIcon } from '../common/Icons';
 interface Props {
   currentStep: number;
   setCurrentStep(step: number): void;
-  emailAuth: boolean;
-  setEmailAuth(enabled: boolean): void;
+  authMethod: AuthMethod;
+  setAuthMethod(method: AuthMethod): void;
   oAuths: Array<IOAuth>;
-  oAuthLoginCompleted: boolean;
-  oauthUserEmail?: string;
-  oauthUserName?: string;
   userData: ITenantSignUpUserForm;
   setUserData({}: ITenantSignUpUserForm): void;
 }
@@ -29,12 +26,9 @@ interface Props {
 const UserSignUpForm = ({
   currentStep,
   setCurrentStep,
-  emailAuth,
-  setEmailAuth,
+  authMethod,
+  setAuthMethod,
   oAuths,
-  oAuthLoginCompleted,
-  oauthUserEmail,
-  oauthUserName,
   userData,
   setUserData,
 }: Props) => {
@@ -44,7 +38,15 @@ const UserSignUpForm = ({
     setError,
     getValues,
     formState: { errors }
-  } = useForm<ITenantSignUpUserForm>();
+  } = useForm<ITenantSignUpUserForm>({
+    defaultValues: {
+      fullName: userData.fullName,
+      email: userData.email,
+      password: userData.password,
+      passwordConfirmation: userData.passwordConfirmation,
+    }
+  });
+
   const onSubmit: SubmitHandler<ITenantSignUpUserForm> = data => {
     if (data.password !== data.passwordConfirmation) {
       setError('passwordConfirmation', I18n.t('common.validations.password_mismatch'));
@@ -60,36 +62,40 @@ const UserSignUpForm = ({
       <h3>Create user account</h3>
 
       {
-        currentStep === 1 && !emailAuth && 
+        currentStep === 1 && authMethod == 'none' && 
         <>
-        <Button className="emailAuth" onClick={() => setEmailAuth(true)}>
+        <Button className="emailAuth" onClick={() => setAuthMethod('email')}>
           Sign up with email
         </Button>
 
-        {
-          oAuths.filter(oAuth => oAuth.isEnabled).map((oAuth, i) =>
-            <OAuthProviderLink
-              oAuthId={oAuth.id}
-              oAuthName={oAuth.name}
-              oAuthLogo={oAuth.logo}
-              oAuthReason='tenantsignup'
-              isSignUp
-              key={i}
-            />
-          )
-        }
+        { oAuths.length > 0 && <hr /> }
+
+        <div className="oauthProviderList">
+          {
+            oAuths.filter(oAuth => oAuth.isEnabled).map((oAuth, i) =>
+              <OAuthProviderLink
+                oAuthId={oAuth.id}
+                oAuthName={oAuth.name}
+                oAuthLogo={oAuth.logo}
+                oAuthReason='tenantsignup'
+                isSignUp
+                key={i}
+              />
+            )
+          }
+        </div>
         </>
       }
 
       {
-        currentStep === 1 && emailAuth &&
+        currentStep === 1 && (authMethod == 'email' || authMethod == 'oauth') &&
         <form onSubmit={handleSubmit(onSubmit)}>
           <ActionLink
-            onClick={() => setEmailAuth(false)}
+            onClick={() => setAuthMethod('none')}
             icon={<BackIcon />}
             customClass="backButton"
           >
-            {I18n.t('common.buttons.back')}
+            Use another method
           </ActionLink>
 
           <div className="formRow">
@@ -106,6 +112,7 @@ const UserSignUpForm = ({
           <div className="formRow">
             <input
               {...register('email', { required: true, pattern: EMAIL_REGEX })}
+              disabled={authMethod == 'oauth'}
               type="email"
               placeholder={getLabel('user', 'email')}
               id="userEmail"
@@ -117,29 +124,32 @@ const UserSignUpForm = ({
             </DangerText>
           </div>
 
-          <div className="formRow">
-            <div className="userPasswordDiv">
-              <input
-                {...register('password', { required: true, minLength: 6, maxLength: 128 })}
-                type="password"
-                placeholder={getLabel('user', 'password')}
-                id="userPassword"
-                className="formControl"
-              />
-              <DangerText>{ errors.password && I18n.t('common.validations.password', { n: 6 }) }</DangerText>
-            </div>
+          {
+            authMethod == 'email' &&
+            <div className="formRow">
+              <div className="userPasswordDiv">
+                <input
+                  {...register('password', { required: true, minLength: 6, maxLength: 128 })}
+                  type="password"
+                  placeholder={getLabel('user', 'password')}
+                  id="userPassword"
+                  className="formControl"
+                />
+                <DangerText>{ errors.password && I18n.t('common.validations.password', { n: 6 }) }</DangerText>
+              </div>
 
-            <div className="userPasswordConfirmationDiv">
-              <input
-                {...register('passwordConfirmation')}
-                type="password"
-                placeholder={getLabel('user', 'password_confirmation')}
-                id="userPasswordConfirmation"
-                className="formControl"
-              />
-              <DangerText>{ errors.passwordConfirmation && I18n.t('common.validations.password_mismatch') }</DangerText>
+              <div className="userPasswordConfirmationDiv">
+                <input
+                  {...register('passwordConfirmation')}
+                  type="password"
+                  placeholder={getLabel('user', 'password_confirmation')}
+                  id="userPasswordConfirmation"
+                  className="formControl"
+                />
+                <DangerText>{ errors.passwordConfirmation && I18n.t('common.validations.password_mismatch') }</DangerText>
+              </div>
             </div>
-          </div>
+          }
 
           <Button
             onClick={() => null}
@@ -151,9 +161,9 @@ const UserSignUpForm = ({
       }
 
       {
-        currentStep === 2 && !oAuthLoginCompleted &&
+        currentStep === 2 &&
         <p className="userRecap">
-          <b>{oAuthLoginCompleted ? oauthUserName : userData.fullName}</b> ({oAuthLoginCompleted ? oauthUserEmail : userData.email})
+          <b>{userData.fullName}</b> ({userData.email})
           <ActionLink onClick={() => setCurrentStep(currentStep-1)} icon={<EditIcon />} customClass="editUser">Edit</ActionLink>
         </p>
       }
diff --git a/app/javascript/components/common/CopyToClipboardButton.tsx b/app/javascript/components/common/CopyToClipboardButton.tsx
index 8108914f..6010cc66 100644
--- a/app/javascript/components/common/CopyToClipboardButton.tsx
+++ b/app/javascript/components/common/CopyToClipboardButton.tsx
@@ -3,6 +3,7 @@ import I18n from 'i18n-js';
 import { useState } from 'react';
 import ActionLink from './ActionLink';
 import { CopyIcon, DoneIcon } from './Icons';
+import { SuccessText } from './CustomTexts';
 
 interface Props {
   label: string;
@@ -40,7 +41,7 @@ const CopyToClipboardButton = ({
       </ActionLink>
     :
       <span style={{display: 'flex', marginRight: 12}}>
-        {copiedLabel}
+        <SuccessText>{copiedLabel}</SuccessText>
       </span>
   );
 };
diff --git a/app/javascript/containers/AuthenticationSiteSettings.tsx b/app/javascript/containers/AuthenticationSiteSettings.tsx
index 9380bcde..5973eacb 100644
--- a/app/javascript/containers/AuthenticationSiteSettings.tsx
+++ b/app/javascript/containers/AuthenticationSiteSettings.tsx
@@ -8,6 +8,7 @@ import AuthenticationSiteSettingsP from "../components/SiteSettings/Authenticati
 import { ISiteSettingsOAuthForm } from "../components/SiteSettings/Authentication/OAuthForm";
 import { IOAuth } from "../interfaces/IOAuth";
 import { State } from "../reducers/rootReducer";
+import { updateDefaultOAuth } from "../actions/OAuth/updateDefaultOAuth";
 
 const mapStateToProps = (state: State) => ({
   oAuths: state.oAuths,
@@ -33,6 +34,10 @@ const mapDispatchToProps = (dispatch: any) => ({
     dispatch(updateOAuth({id, isEnabled, authenticityToken}));
   },
 
+  onToggleEnabledDefaultOAuth(id: number, isEnabled: boolean, authenticityToken: string) {
+    dispatch(updateDefaultOAuth({id, isEnabled, authenticityToken}));
+  },
+
   onDeleteOAuth(id: number, authenticityToken: string) {
     dispatch(deleteOAuth(id, authenticityToken));
   },
diff --git a/app/javascript/interfaces/IOAuth.ts b/app/javascript/interfaces/IOAuth.ts
index 51076e18..7eefdaf1 100644
--- a/app/javascript/interfaces/IOAuth.ts
+++ b/app/javascript/interfaces/IOAuth.ts
@@ -14,6 +14,7 @@ export interface IOAuth {
   
   callbackUrl?: string;
   tenantId?: number;
+  defaultOAuthIsEnabled: boolean;
 }
 
 export interface IOAuthJSON {
@@ -32,6 +33,7 @@ export interface IOAuthJSON {
 
   callback_url?: string;
   tenant_id?: string;
+  default_o_auth_is_enabled: boolean;
 }
 
 export const oAuthJSON2JS = (oAuthJSON: IOAuthJSON): IOAuth => ({
@@ -50,6 +52,7 @@ export const oAuthJSON2JS = (oAuthJSON: IOAuthJSON): IOAuth => ({
 
   callbackUrl: oAuthJSON.callback_url,
   tenantId: oAuthJSON.tenant_id ? parseInt(oAuthJSON.tenant_id) : null,
+  defaultOAuthIsEnabled: oAuthJSON.default_o_auth_is_enabled,
 });
 
 export const oAuthJS2JSON = (oAuth: IOAuth) => ({
@@ -68,4 +71,5 @@ export const oAuthJS2JSON = (oAuth: IOAuth) => ({
 
   callback_url: oAuth.callbackUrl,
   tenant_id: oAuth.tenantId,
+  default_o_auth_is_enabled: oAuth.defaultOAuthIsEnabled,
 });
\ No newline at end of file
diff --git a/app/javascript/reducers/oAuthsReducer.ts b/app/javascript/reducers/oAuthsReducer.ts
index c22c7aa1..e94b9bb4 100644
--- a/app/javascript/reducers/oAuthsReducer.ts
+++ b/app/javascript/reducers/oAuthsReducer.ts
@@ -21,6 +21,7 @@ import {
 } from '../actions/OAuth/deleteOAuth';
 
 import { IOAuth, oAuthJSON2JS } from '../interfaces/IOAuth';
+import { DEFAULT_OAUTH_UPDATE_FAILURE, DEFAULT_OAUTH_UPDATE_START, DEFAULT_OAUTH_UPDATE_SUCCESS, DefaultOAuthUpdateActionTypes } from '../actions/OAuth/updateDefaultOAuth';
 
 export interface OAuthsState {
   items: Array<IOAuth>;
@@ -40,10 +41,12 @@ const oAuthsReducer = (
     OAuthsRequestActionTypes |
     OAuthSubmitActionTypes |
     OAuthUpdateActionTypes |
-    OAuthDeleteActionTypes,
+    OAuthDeleteActionTypes |
+    DefaultOAuthUpdateActionTypes,
 ) => {
   switch (action.type) {
     case OAUTHS_REQUEST_START:
+    case DEFAULT_OAUTH_UPDATE_START:
       return {
         ...state,
         areLoading: true,
@@ -58,6 +61,7 @@ const oAuthsReducer = (
       };
 
     case OAUTHS_REQUEST_FAILURE:
+    case DEFAULT_OAUTH_UPDATE_FAILURE:
       return {
         ...state,
         areLoading: false,
@@ -79,6 +83,19 @@ const oAuthsReducer = (
         })
       };
 
+    case DEFAULT_OAUTH_UPDATE_SUCCESS:
+      return {
+        ...state,
+        areLoading: false,
+        items: state.items.map(oAuth => {
+          if (oAuth.id !== action.id) return oAuth;
+          return {
+            ...oAuth,
+            defaultOAuthIsEnabled: action.isEnabled,
+          };
+        }),
+      };
+
     case OAUTH_DELETE_SUCCESS:
       return {
         ...state,
diff --git a/app/models/o_auth.rb b/app/models/o_auth.rb
index 1804f55c..dc05a9e1 100644
--- a/app/models/o_auth.rb
+++ b/app/models/o_auth.rb
@@ -3,7 +3,7 @@ class OAuth < ApplicationRecord
   include ApplicationHelper
   include Rails.application.routes.url_helpers
 
-  scope :include_defaults, -> { unscope(where: :tenant_id).where(tenant_id: Current.tenant).or(unscope(where: :tenant_id).where(tenant_id: nil, is_enabled: true)) }
+  has_many :tenant_default_o_auths, dependent: :destroy
 
   attr_accessor :state
 
@@ -41,4 +41,25 @@ class OAuth < ApplicationRecord
     "scope=#{scope}&"\
     "state=#{state}"
   end
+
+  def default_o_auth_is_enabled
+    is_default? and tenant_default_o_auths.exists?
+  end
+
+  class << self
+    # returns all tenant-specific o_auths plus all default o_auths that are enabled site-wide
+    def include_all_defaults
+      unscoped.where(tenant_id: nil, is_enabled: true).or(where(tenant_id: Current.tenant))
+    end
+
+    # returns all tenant-specific o_auths plus all default o_auths that are enabled both site-wide and for the current tenant
+    def include_defaults
+      unscoped.left_outer_joins(:tenant_default_o_auths).where(tenant_default_o_auths: { tenant_id: Current.tenant }, is_enabled: true).or(where(tenant_id: Current.tenant))
+    end
+
+    # returns all default o_auths that are enabled site-wide
+    def include_only_defaults
+      unscoped.where(tenant_id: nil, is_enabled: true)
+    end
+  end
 end
diff --git a/app/models/tenant.rb b/app/models/tenant.rb
index d8a9e26c..3a8d661e 100644
--- a/app/models/tenant.rb
+++ b/app/models/tenant.rb
@@ -1,11 +1,16 @@
 class Tenant < ApplicationRecord
   has_one :tenant_setting, dependent: :destroy
   has_many :boards, dependent: :destroy
-  has_many :o_auths, dependent: :destroy
   has_many :post_statuses, dependent: :destroy
   has_many :posts, dependent: :destroy
   has_many :users, dependent: :destroy
 
+  has_many :o_auths, dependent: :destroy
+  # used to enable/disable a default oauth for a specific tenant
+  has_many :tenant_default_o_auths, dependent: :destroy
+  # used to query all globally enabled default oauths that are also enabled by the specific tenant
+  has_many :default_o_auths, -> { where tenant_id: nil, is_enabled: true }, through: :tenant_default_o_auths, source: :o_auth
+
   enum status: [:active, :pending, :blocked]
 
   after_initialize :set_default_status, if: :new_record?
diff --git a/app/models/tenant_default_o_auth.rb b/app/models/tenant_default_o_auth.rb
new file mode 100644
index 00000000..ad7df3ca
--- /dev/null
+++ b/app/models/tenant_default_o_auth.rb
@@ -0,0 +1,11 @@
+# This is just a table to record whether tenant has
+# enabled o_auth or not (and is used only for default
+# o_auths, i.e. o_auths with tenant_id = nil, because
+# they are available to multiple tenants and so their
+# is_enabled column cannot be used)
+
+class TenantDefaultOAuth < ApplicationRecord
+  include TenantOwnable
+
+  belongs_to :o_auth, -> { unscope(where: :tenant_id) }
+end
diff --git a/app/workflows/o_auth_exchange_auth_code_for_profile_workflow.rb b/app/workflows/o_auth_exchange_auth_code_for_profile_workflow.rb
index 7392d212..16cfc1c8 100644
--- a/app/workflows/o_auth_exchange_auth_code_for_profile_workflow.rb
+++ b/app/workflows/o_auth_exchange_auth_code_for_profile_workflow.rb
@@ -19,6 +19,14 @@ class OAuthExchangeAuthCodeForProfileWorkflow
     @o_auth = o_auth
   end
 
+  def request_profile(profile_url, access_token)
+    HTTParty.get(
+      profile_url,
+      headers: { "Authorization": "Bearer #{access_token}" },
+      format: :json
+    ).parsed_response
+  end
+
   def run
     return nil unless @o_auth and @o_auth.class == OAuth
     return nil unless @authorization_code and @authorization_code.class == String
@@ -41,16 +49,18 @@ class OAuthExchangeAuthCodeForProfileWorkflow
       access_token = token_response['access_token']
       
       # Exchange access token for profile info
-      profile_response = HTTParty.get(
-        @o_auth.profile_url,
-        headers: { "Authorization": "Bearer #{access_token}" },
-        format: :json
-      ).parsed_response
+      profile_urls = @o_auth.profile_url.split(',')
+      if profile_urls.length == 1
+        profile_response = request_profile(profile_urls[0], access_token)
+      else
+        profile_response = {}
+        profile_urls.each_with_index do |profile_url, n|
+          profile_response["profile#{n}"] = request_profile(profile_url, access_token)
+        end
+      end
 
       return profile_response
     rescue => error
-      logger.error { "Error in OAuthExchangeAuthCodeForProfileWorkflow: #{error}, o_auth: #{@o_auth.inspect}" }
-
       return nil
     end
   end
diff --git a/app/workflows/o_auth_sign_in_user_workflow.rb b/app/workflows/o_auth_sign_in_user_workflow.rb
index 683cc386..80cfc7f8 100644
--- a/app/workflows/o_auth_sign_in_user_workflow.rb
+++ b/app/workflows/o_auth_sign_in_user_workflow.rb
@@ -52,7 +52,6 @@ class OAuthSignInUserWorkflow
 
       return user
     rescue => error
-      logger.error { "Error in OAuthSignInUserWorkflow: #{error}, o_auth: #{@o_auth.inspect}" }
       return nil
     end
   end
diff --git a/config/routes.rb b/config/routes.rb
index 9d7a9c82..ab253c38 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -26,7 +26,9 @@ Rails.application.routes.draw do
     
     resources :tenants, only: [:show, :update]
     resources :users, only: [:index, :update]
-    resources :o_auths, only: [:index, :create, :update, :destroy]
+    resources :o_auths, only: [:index, :create, :update, :destroy] do
+      resource :tenant_default_o_auths, only: [:create, :destroy]
+    end
     get '/o_auths/:id/start', to: 'o_auths#start', as: :o_auth_start
     get '/o_auths/:id/callback', to: 'o_auths#callback', as: :o_auth_callback
     get '/o_auths/sign_in_from_oauth_token', to: 'o_auths#sign_in_from_oauth_token', as: :o_auth_sign_in_from_oauth_token
diff --git a/db/migrate/20240303103945_create_tenant_default_o_auths.rb b/db/migrate/20240303103945_create_tenant_default_o_auths.rb
new file mode 100644
index 00000000..3e368028
--- /dev/null
+++ b/db/migrate/20240303103945_create_tenant_default_o_auths.rb
@@ -0,0 +1,10 @@
+class CreateTenantDefaultOAuths < ActiveRecord::Migration[6.1]
+  def change
+    create_table :tenant_default_o_auths do |t|
+      t.references :tenant, null: false, foreign_key: true
+      t.references :o_auth, null: false, foreign_key: true
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 2f98da96..d9915808 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2024_02_27_110058) do
+ActiveRecord::Schema.define(version: 2024_03_03_103945) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -124,6 +124,15 @@ ActiveRecord::Schema.define(version: 2024_02_27_110058) do
     t.index ["user_id"], name: "index_posts_on_user_id"
   end
 
+  create_table "tenant_default_o_auths", force: :cascade do |t|
+    t.bigint "tenant_id", null: false
+    t.bigint "o_auth_id", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["o_auth_id"], name: "index_tenant_default_o_auths_on_o_auth_id"
+    t.index ["tenant_id"], name: "index_tenant_default_o_auths_on_tenant_id"
+  end
+
   create_table "tenant_settings", force: :cascade do |t|
     t.integer "brand_display", default: 0, null: false
     t.bigint "tenant_id", null: false
@@ -195,6 +204,8 @@ ActiveRecord::Schema.define(version: 2024_02_27_110058) do
   add_foreign_key "posts", "post_statuses"
   add_foreign_key "posts", "tenants"
   add_foreign_key "posts", "users"
+  add_foreign_key "tenant_default_o_auths", "o_auths"
+  add_foreign_key "tenant_default_o_auths", "tenants"
   add_foreign_key "tenant_settings", "tenants"
   add_foreign_key "users", "tenants"
 end
diff --git a/spec/factories/o_auths.rb b/spec/factories/o_auths.rb
index 35294dc8..b0532f32 100644
--- a/spec/factories/o_auths.rb
+++ b/spec/factories/o_auths.rb
@@ -12,4 +12,19 @@ FactoryBot.define do
     json_user_name_path { "user.name" }
     json_user_email_path { "user.email" }
   end
+
+  factory :default_o_auth, class: OAuth do
+    tenant { nil }
+    sequence(:name) { |n| "DefaultOAuth#{n}" }
+    logo { "https://upload.wikimedia.org/wikipedia/commons/5/53/Google_%22G%22_Logo.svg" }
+    is_enabled { false }
+    client_id { "123456" }
+    client_secret { "123456" }
+    authorize_url { "https://example.com/authorize" }
+    token_url { "https://example.com/token" }
+    profile_url { "https://example.com/profile" }
+    scope { "read" }
+    json_user_name_path { "user.name" }
+    json_user_email_path { "user.email" }
+  end
 end
diff --git a/spec/factories/tenant_default_o_auths.rb b/spec/factories/tenant_default_o_auths.rb
new file mode 100644
index 00000000..b8131fb9
--- /dev/null
+++ b/spec/factories/tenant_default_o_auths.rb
@@ -0,0 +1,6 @@
+FactoryBot.define do
+  factory :tenant_default_o_auth do
+    tenant
+    o_auth
+  end
+end
diff --git a/spec/models/tenant_default_o_auth_spec.rb b/spec/models/tenant_default_o_auth_spec.rb
new file mode 100644
index 00000000..f0035c04
--- /dev/null
+++ b/spec/models/tenant_default_o_auth_spec.rb
@@ -0,0 +1,14 @@
+require 'rails_helper'
+
+RSpec.describe TenantDefaultOAuth, type: :model do
+  let(:tenant_default_o_auth) { FactoryBot.build(:tenant_default_o_auth) }
+
+  it 'is valid' do
+    expect(tenant_default_o_auth).to be_valid
+  end
+
+  it 'must have a o_auth_id' do
+    tenant_default_o_auth.o_auth = nil
+    expect(tenant_default_o_auth).to be_invalid
+  end
+end
diff --git a/spec/system/site_settings/site_settings_authentication_spec.rb b/spec/system/site_settings/site_settings_authentication_spec.rb
index dab88444..d717528c 100644
--- a/spec/system/site_settings/site_settings_authentication_spec.rb
+++ b/spec/system/site_settings/site_settings_authentication_spec.rb
@@ -4,6 +4,8 @@ feature 'site settings: authentication', type: :system, js: true do
   let(:admin) { FactoryBot.create(:admin) }
   
   let(:o_auth) { FactoryBot.create(:o_auth) }
+  let(:disabled_default_o_auth) { FactoryBot.create(:default_o_auth, is_enabled: false) }
+  let(:enabled_default_o_auth) { FactoryBot.create(:default_o_auth, is_enabled: true) }
 
   let(:o_auths_list_selector) { '.oAuthsList' }
   let(:o_auth_list_item_selector) { '.oAuthListItem' }
@@ -26,6 +28,18 @@ feature 'site settings: authentication', type: :system, js: true do
     end
   end
 
+  it 'lets view existing default oauths, if enabled' do
+    disabled_default_o_auth # should not be visible
+    enabled_default_o_auth # should be visible
+
+    visit site_settings_authentication_path
+
+    within o_auths_list_selector do
+      expect(page).to have_content(/#{enabled_default_o_auth.name}/i)
+      expect(page).not_to have_content(/#{disabled_default_o_auth.name}/i)
+    end
+  end
+
   it 'lets create new oauths' do
     n_of_o_auths = OAuth.count
     new_o_auth_name = 'My new oauth'
diff --git a/spec/system/user_o_auth_sign_up_and_log_in.rb b/spec/system/user_o_auth_sign_up_and_log_in.rb
new file mode 100644
index 00000000..fa027043
--- /dev/null
+++ b/spec/system/user_o_auth_sign_up_and_log_in.rb
@@ -0,0 +1,49 @@
+require 'rails_helper'
+
+feature 'oauth sign up / log in', type: :system, js: true do
+  let(:o_auth) { FactoryBot.create(:o_auth, is_enabled: true) }
+  let(:disabled_o_auth) { FactoryBot.create(:o_auth, is_enabled: false) }
+  let(:default_o_auth) { FactoryBot.create(:default_o_auth, is_enabled: true) }
+  let(:disabled_default_o_auth) { FactoryBot.create(:default_o_auth, is_enabled: false) }
+
+  let(:o_auth_button_selector) { '.oauthProviderBtn' }
+
+  before(:each) do
+    o_auth
+    disabled_o_auth
+    default_o_auth
+    disabled_default_o_auth
+  end
+
+  it 'shows sign up links for enabled oauths' do
+    visit new_user_registration_path
+
+    expect(page).to have_css(o_auth_button_selector, count: 1)
+    expect(page).to have_content(/#{o_auth.name}/i)
+    expect(page).not_to have_content(/#{default_o_auth.name}/i)
+    expect(page).not_to have_content(/#{disabled_o_auth.name}/i)
+    expect(page).not_to have_content(/#{disabled_default_o_auth.name}/i)
+
+    OAuth.tenant_default_o_auths.create
+
+    visit new_user_registration_path
+    expect(page).to have_css(o_auth_button_selector, count: 2)
+    expect(page).to have_content(/#{default_o_auth.name}/i)
+  end
+
+  it 'shows log in links for enabled oauths' do
+    visit new_user_session_path
+
+    expect(page).to have_css(o_auth_button_selector, count: 1)
+    expect(page).to have_content(/#{o_auth.name}/i)
+    expect(page).not_to have_content(/#{default_o_auth.name}/i)
+    expect(page).not_to have_content(/#{disabled_o_auth.name}/i)
+    expect(page).not_to have_content(/#{disabled_default_o_auth.name}/i)
+
+    OAuth.tenant_default_o_auths.create
+
+    visit new_user_session_path
+    expect(page).to have_css(o_auth_button_selector, count: 2)
+    expect(page).to have_content(/#{default_o_auth.name}/i)
+  end
+end
\ No newline at end of file