Configure GitHub as an Identity Provider in ZITADEL
This guides shows you how to connect GitHub as an identity provider in ZITADEL.
In ZITADEL you can connect an Identity Provider (IdP) like GitHub to your instance and provide it as default to all organizations. Also, you can register the IdP to a specific organization only. If you allow so, your organizations members can do the same in self-service.
GitHub Configuration​
Register a new application​
For GitHub browse to the Register a new OAuth application. You can find this link withing Settings - Developer Settings - - OAuth Apps.
For GitHub Enterprise go to your GitHub Enterprise home page and then to Settings - Developer Settings - OAuth Apps - Register a new application/New OAuth App
Fill in the application name and homepage URL.
You have to add the authorization callback URL, where GitHub should redirect, after the user has authenticated themselves.
In this example our test instance has the domain https://acme-gzoe4x.zitadel.cloud
.
This results in the following authorization callback URL:
https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback
To adapt this for you setup just replace the domain
Client ID and Secret​
After clicking "Register application", you see the detail page of the application you have just created. Copy the client ID directly from the detail page. Generate a new secret by clicking "Generate new client secret". Make sure to save the secret, as you will not be able to show it again.
ZITADEL Configuration​
Add custom login policy​
The login policy can be configured on two levels. Once in the default settings and this can be overwritten for each organization. The only difference is where you configure it. Go either to the settings page of a specific organization or to the default settings page. Default Settings: $YOUR-DOMAIN/ui/console/instance?id=general Organization: Choose the organization in the menu and go to $YOUR-DOMAIN/ui/console/org-settings?id=login
- Go to the Settings
- Modify your login policy in the menu "Login Behavior and Security"
- Enable the attribute "External Login allowed"
You can also change the settings through the API directly either in the default settings or on a specific organization:
Go to the IdP Providers Overview​
Go to the settings page of your instance or organization and choose "Identity Providers".
In the table you can see all the providers you have configured. Also, you see all provider templates that are available.
Select the GitHub or GitHub Enterprise Provider template.
Create a new GitHub Provider​
The GitHub provider templates have everything you need preconfigured. You only have to add the client ID and secret, you have created in the step before.
You can configure the following settings if you like, a useful default will be filled if you don't change anything:
Scopes: The scopes define which scopes will be sent to the provider, openid
, profile
, and email
are prefilled.
This information is used to create and/or update the user within ZITADEL. ZITADEL ensures that at least the openid
-scope is always sent.
Automatic creation: If this setting is enabled the user will be created automatically within ZITADEL, if it doesn't exist.
Automatic update: If this setting is enabled, the user will be updated within ZITADEL, if some user data is changed withing the provider. E.g if the lastname changes on the GitHub account, the information will be changed on the ZITADEL account on the next login.
Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.
Account linking allowed: This setting determines if account linking is allowed. When logging in with a GitHub account, a linkable ZITADEL account has to exist already.
Either account creation or account linking have to be enabled. Otherwise, the provider can't be used.
Activate IdP​
Once you created the provider, it is listed in the providers overview. Activate it by selecting the tick with the tooltip set as available.
If you deactivate a provider, your users with links to it will not be able to authenticate anymore. You can reactivate it and the logins will work again.
The provider can also be activated via API. As the identity providers are sub-resources of the login settings, this is done by linking the provider to the settings:
Test the setup​
To test the setup, use incognito mode and browse to your login page. You see a new button which redirects you to your GitHub login screen.
By default, ZITADEL shows what you define in the default settings. If you overwrite the default settings for an organization, you need to send the organization scope in your auth request.
The organization scope looks like this: urn:zitadel:iam:org:id:{id}
.
You can read more about the reserved scopes
or use the ZITADEL OIDC Playground to see what happens with the login when you send different scopes.
New unlinked users are presented with the screen below. GitHub is an OAuth provider and does not provide a standardized way to get the user data. This means that ZITADEL has no way to prefill the first and lastname fields.
Optional: Add ZITADEL action to autofill userdata​
You can use a ZITADEL action if you want to prefill the fields firstname and lastname with GitHub data.
- Go to the users target organizations settings page.
- Add a new action with the body below. Make sure the action name equals the scripts function name. Also change the id in the script to match your provider configurations id.
- Add the action to the flow "External Authentication" and trigger it on "Post Authentication"
loading...