Skip to main content

GitHub

Follow these steps to add GitHub as a social sign-in provider for your Ory Cloud project.

  1. Sign in to Ory Cloud Console and select Social Sign-in.
  2. Click the switch next to the GitHub logo to start the configuration.
  3. Copy the Redirect URI.
  4. Create an OAuth2 app in GitHub. Open a new browser tab, go to Developer settings → OAuth Apps and click New OAuth App.
  5. Paste the Redirect URI copied from Ory into the Authorization Callback URL field in GitHub and fill in other required app details.
  6. Click the Register application button.
  7. Copy the Client ID of the registered application and paste it into the corresponding field in Ory Console.
  8. In GitHub, click Generate a new client secret, copy the generated string, and paste it into the corresponding field in Ory Console.
  9. Click Save Configuration to enable the social sign-in provider.
note

The Scopes and Data mapping fields are optional - you don't have to configure them to start using the social sign-in provider.

Additional configuration

When adding a social sign-in provider, you can customize the integration by defining the OAuth scopes Ory requests from the provider and by setting up custom data mappings.

Scopes

The Scopes section allows you to define the OAuth scopes Ory requests from the sign-in provider. Defining scopes allows you to interact with the provider's APIs on behalf of the user, or to access additional user data, which is exposed as claims for data mapping.

Leave this field blank to use the default scopes.

To learn more about the scopes available for GitHub, read the related documentation.

Data Mapping

The Data Mapping section allows you to map the data returned by the sign-in provider to traits as defined in the identity schema. While optional, we highly recommend you add it. The user experience will be worse if left blank, as a user will have to supply their email address through an additional custom step after completing the OAuth flow.

To define the mapping, create a Jsonnet code snippet. Read the OpenID Connect and OAuth2 Credentials documentation for more details.

note

GitHub doesn't implement OpenID Connect. Because of this limitation, Ory Kratos makes a request to GitHub's User API and adds the user data to std.extVar('claims'). Learn what data is available by reading the GitHub Scopes documentation. However, not all GitHub scopes are supported. Check the list of supported fields the source code.

In this sample Jsonnet snippet, email_primary is mapped to the identity schema's traits.email:

local claims = {
  email_verified: false
} + std.extVar('claims');
{
  identity: {
    traits: {
      // Allowing unverified email addresses enables account
      // enumeration attacks, especially if the value is used for
      // e.g. verification or as a password login identifier.
      //
      // Therefore we only return the email if it (a) exists and (b) is marked verified
      // by GitHub.
      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
    },
  },
}
warning

Don't save secrets such as API keys, credentials, or PII directly in Jsonnet code snippets.
Jsonnet code snippets used for data mapping aren't stored in an encrypted format in Ory Cloud .