Provider
GitHub
GitHub provider documentation
Feature/OIDC support
❌ PKCE
❌ Nonce
✅ State
❌ Access Token validation
❌ ID Token validation
Introduction
GitHub is not strictly an OIDC provider, but it can be used as one. Make sure that validation is disabled and that you keep the skipAccessTokenParsing
option to true
.
Try to use a GitHub App, not the legacy OAuth app. They don't provide the same level of security, have no granular permissions, don't provide refresh tokens and are not tested.
Make sure to set the callback URL in your OAuth app settings as <your-domain>/auth/github
.
Example Configuration
Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables.
nuxt.config.ts
github: {
redirectUri: 'http://localhost:3000/auth/github/callback',
clientId: '',
clientSecret: '',
filterUserInfo: ['login', 'id', 'avatar_url', 'name', 'email'],
},
Environment variables
Dotenv files are only for (local) development. Use a proper configuration management or injection system in production.
.env
NUXT_OIDC_PROVIDERS_GITHUB_CLIENT_SECRET=CLIENT_SECRET
NUXT_OIDC_PROVIDERS_GITHUB_CLIENT_ID=CLIENT_ID