Provider

GitHub

GitHub provider documentation

Feature/OIDC support

❌  PKCE
❌  Nonce
✅  State
❌  Access Token validation
❌  ID Token validation

Introduction

GitHub is not strictly an OIDC provider, but it can be used as one. Make sure that validation is disabled and that you keep the skipAccessTokenParsing option to true.

Try to use a GitHub App, not the legacy OAuth app. They don't provide the same level of security, have no granular permissions, don't provide refresh tokens and are not tested.

Make sure to set the callback URL in your OAuth app settings as <your-domain>/auth/github.

Example Configuration

Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables.
nuxt.config.ts
github: {
  redirectUri: 'http://localhost:3000/auth/github/callback',
  clientId: '',
  clientSecret: '',
  filterUserInfo: ['login', 'id', 'avatar_url', 'name', 'email'],
},

Environment variables

Dotenv files are only for (local) development. Use a proper configuration management or injection system in production.

.env
NUXT_OIDC_PROVIDERS_GITHUB_CLIENT_SECRET=CLIENT_SECRET
NUXT_OIDC_PROVIDERS_GITHUB_CLIENT_ID=CLIENT_ID

Copyright © 2024