In this document we will take a look at setting up "Sign in with GitHub" using ORY Kratos.
Run the Quickstart with Docker Compose:
To set up "Sign in with GitHub" you must create a GitHub OAuth2 Client.
Set the "Authorization callback URL" to:
The pattern of this URL is:
The provider ID must point to the provider's ID set in the ORY Kratos configuration file (explained in further detail at OpenID Connect and OAuth2 Credentials).
GitHub does not implement OpenID Connect. Therefore, ORY Kratos makes a request
GitHub's User API
and adds that data to
std.extVar('claims'). Check out what data is available
GitHub's Scope Docs.
Not all GitHub fields are supported however. Check the list of supported fields
in Kratos' source code.
As explained in
OpenID Connect and OAuth2 Credentials,
you must also create a Jsonnet code snippet for the provider. Save the code in
The following JsonNet takes
email_primary and maps it to
Now, enable the GitHub provider in the ORY Kratos config located at
Next, open the login endpoint of the SecureApp and you should see the GitHub Login option!
This will enable you to log in using any Azure AD directory - Multitenant and personal Microsoft accounts (e.g. Skype, Xbox) depending on the settings made when creating the application in Azure AD.
Creating an Application in Azure AD
To set up "Sign in with Microsoft" you must first register an application with the Microsoft identity platform.
Select "Web" as the "Redirect URI" type, and set the URI to:
After the "App Registration" is created, make note of the
Application ID and
Directory ID on top of the Overview page. To create the client secret,
navigate to "Certificates & secrets" and click "+ New client secret". Remember
to copy the secret value as it will only be shown once.
Create a Jsonnet claims mapper as described in
OpenID Connect and OAuth2 Credentials.
Save the code in
Enable the Microsoft provider in the ORY Kratos config located at
Azure AD is now an option to log in to kratos.
There are two ways to use the
microsoft provider for authentication:
- For authenticating users in a single Azure AD Directory (organisation), set
tenantvalue to either the
Directory IDfrom the "App Registration" page, or the organisation domain. E.g.
- For authenticating any user in the Microsoft identity platform, set the
tenantvalue to either:
organizationsto allow users with work or school accounts, or
consumersto allow users with personal accounts, or
commonto allow both kind of accounts.
Google, LinkedIn, Facebook
Connecting with other Social Sign In providers will be very similar to the GitHub flow. If you've managed to do it, add to this document by writing it down and making a PR! :)