16

Background

I'm trying to implement social login using GitHub accounts and OpenID Connect, but I can't figure out what GitHub endpoints I'm supposed to:

  1. redirect the user to and
  2. POST the authorization code to

...to get back an ID token, or if I already have the right endpoints but the wrong parameters.

I've been following/adapting this guide to implementing social login with OpenID Connect (which uses Google as the Identity Provider rather than GitHub) and referring to the "OAuth 2.0 web application flow" GitHub docs page to try to understand how I need to adapt the guide to work with GitHub (i.e. what GitHub endpoints and parameters I need to use).

My problem

When I POST the authorization code to https://github.com/login/oauth/access_token (the URL specified in GitHub's docs) I get back an access token and a refresh token but no ID token. I suspect this is because the GitHub docs page is meant to be used to implement a plain (non-OpenID Connect) OAuth 2.0 flow.

What I've tried

I did a lot of Googling and found these 2019 slides from PragmaticWebSecurity.com that say I need to initially redirect the user to a different endpoint (https://github.com/openid-connect/auth rather than https://github.com/login/oauth/authorize, see slide 29), but when I try to do that, I get a 404 error from GitHub. I tried emailing the guy who created those slides to ask if the endpoint had changed, but he hasn't responded to me.

These are my guesses at what the answer to my question is:

  1. GitHub doesn't support OpenID Connect / it isn't possible to get back an ID token; I need to just use the access token to query the API to get back whatever information I need about the user.
    • This would explain why I can't find any mention of social login with OpenID Connect in GitHub's docs.
  2. I have the right endpoint (https://github.com/login/oauth/access_token), but I'm missing some required parameter to get back an ID token.
  3. I have the wrong endpoint.
Improve this question
1

3 Answers 3

Reset to default
12

I contacted GitHub Support and got an official response: Their API doesn't support OpenID Connect for social login.

Here's their full response:

Hi Nathan,

Thanks for reaching out!

GitHub OAuth flow does not currently support the OpenID connect functionality. You'll need to use the OAuth 2.0

https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps

Regards,

Oluwaseun GitHub Support

So, until they add support for OpenID Connect, you can refer to this write-up I did on how to implement social login using OAuth 2.0:

How do I implement social login with GitHub accounts?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

As per OpenID specification, I think you'll need to authenticate with OAuth2

The primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated is the ID Token data structure. The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims.

...

The OpenID Connect protocol, in abstract, follows the following steps.

  • The RP (Client) sends a request to the OpenID Provider (OP).
  • The OP authenticates the End-User and obtains authorization.
  • The OP responds with an ID Token and usually an Access Token.
  • The RP can send a request with the Access Token to the UserInfo Endpoint.
  • The UserInfo Endpoint returns Claims about the End-User.

Then you should be able to forward through OpenID the token, once you have set up the trust between the Authentication provider and the Autorization provider.

Improve this answer

3 Comments

I don't think this actually answers the question. Which specific GitHub endpoint will provide an OIDC token?
I don't understand clearly your use case. As far as I can tell, you must setup some flow between your local auth provider and github (docs.github.com/en/actions/deployment/…) At this point, the OAuth token should flow from Github to your local IdP with some claims (token.actions.githubusercontent.com/.well-known/…)
That first link is talking about GitHub Actions, but my question is about implementing social login. The key quote: "To update your custom actions to authenticate using OIDC, you can use getIDToken() from the Actions toolkit to request a JWT from GitHub's OIDC provider."
1

From your guesses 1) and 2).

github oauth apps currently do oauth2 not oidc, it kind of stares in your face with the name, but I missed it as well.

I'll leave this for others researching this. oauth2 != oidc, Depending on your use case you might have a client library that supports both, the config will look the same, but the response is different and needs to be handled correctly.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.