network
network copied to clipboard
ory
Can't authenticate with GitHub
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] This issue affects my Ory Cloud project.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
I'm trying to follow the set up guide for GitHub on Ory Cloud, but cannot seem to get authentication working. When GitHub redirects back to the callback, Ory consistently raises this error:
This is even though I believe I've configured the correct scopes on both the Ory side (user:email) and the GitHub side:
Reproducing the bug
Follow the GitHub tutorial to create a social provider integration with a GitHub app.
Relevant log output
No response
Relevant configuration
No response
Version
Cloud
On which operating system are you observing this issue?
No response
In which environment are you deploying?
Ory Cloud
Additional Context
No response
Could you share your project slug please? :) And can you also share what permissions you have accepted in the github oauth flow?
Did you also include the jsonnet to map the email addresses?
local claims = {
email_verified: false,
} + std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, especially if the value is used for
// e.g. verification or as a password login identifier.
//
// Therefore we only return the email if it (a) exists and (b) is marked verified
// by GitHub.
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
},
},
}
I just set up github login at a fresh project and it worked fine with the jsonnet.
Did you set up a GitHub app or an OAuth app?
Project slug: lucid-wilson-ffhd3viquj
Yes I included jsonnet. I set up a GitHub app with OAuth enabled.
Hello morgante,
this is definitely an issue with the GitHub app. With an OAuth app I have no issue, when using a GitHub app I encounter the error you get above. Currently investigating if there is a quick fix.
Yes, I think you have to use an OAuth2 app for this to work, GitHub app will not work as far as I know :/
@morgante there is an extra provider called github-app, you just cant configure it through the GUI.
ou just need to change the provider to github-app in your config, you can export the config through the CLI, change it and then upload again.
This is my working config https://crazy-ellis-0i15g80nvt.projects.oryapis.com/ui/registration
oidc": {
"config": {
"providers": [
{
"client_id": "Iv1.554f1d75379b0a58",
"client_secret": "0199assadasdasda68dbf04e0d426408917479",
"id": "github",
"label": "GitHub App",
"mapper_url": "https://storage.googleapis.com/bac-gcs-production/7402672d77d0cb88150f30171f02aca8e034b76337d84a99f019b171b903b450672b8d99d2f17155af8073e43086e128799d8105f2b123bd8c28ec3fcfb888ab.jsonnet",
"provider": "github-app",
"scope": [
"user:email",
]
},
]
},
"enabled": true
You can get it like so
ory list projects
# get the project id (something like 34c4b33c-c7f6-424e-ac69-ea13414a260)
ory get identity-config 34c4b33c-c7f6-424e-ac69-ea13414a260 --format json-pretty
# you get the json config, make your changes, save in config.yml
ory update identity-config 34c4b33c-c7f6-424e-ac69-ea13414a260 -f config.yml
# update the config, dont change the github provider in the gui that messes it up