CookbookSocial login

Add GitHub as a social login provider

Configure GitHub OAuth as an alternate login method

Prerequisites

A GitHub account.
An Olympus deployment with HTTPS (GitHub requires HTTPS for OAuth callbacks).

Step 1: Register GitHub OAuth App

GitHub → Settings → Developer Settings → OAuth Apps → New OAuth App.
Application name: "Your App via Olympus"
Homepage URL: https://app.your-domain
Authorization callback URL: https://ciam.your-domain/self-service/methods/oidc/callback/github
Register.
Note Client ID and Client Secret.

Step 2: Configure Kratos

selfservice:
  methods:
    oidc:
      enabled: true
      config:
        providers:
          - id: github
            provider: github
            client_id: <github-client-id>
            client_secret: <github-client-secret>
            scope: [user:email]
            mapper_url: file:///etc/config/kratos/oidc.github.jsonnet

oidc.github.jsonnet:

local claims = std.extVar('claims');
{
  identity: {
    traits: {
      email: claims.email,
      name: { first: claims.name },
    },
  },
}

GitHub doesn't reliably return first/last name as separate fields, it sends name as a single string. Split client-side if needed.

Same flow as Google, see Cookbook, Add Google.

Caveats

Email visibility: users with hidden email on GitHub return a noreply.github.com address. Test how your flow handles these.
No email_verified claim from GitHub. Kratos's own verification flow runs (which is good, see Security, OIDC email_verified trust).

Add a generic OIDC provider

Any standards-compliant OIDC provider Kratos doesn't have built-in support for

Add GitLab as a social login provider

Configure GitLab OAuth as an alternate login method

On this page

Prerequisites Step 1: Register GitHub OAuth App Step 2: Configure Kratos Step 3: Surface in Athena → Social Connections Caveats Related