Sign in with a GitHub App
For GitHub sign-in generally, see the canonical Add GitHub as a social sign-in provider in Ory page. This page documents the GitHub App variant specifically (distinct from GitHub OAuth Apps); the primary doc covers the OAuth App flow and gestures at this page for the App variant.
This integration is community-maintained, not part of Ory's officially supported social sign-in providers. Reference implementation: ory/integrates/social-sign-in/github-app. Contributions welcome.
You can let users sign in with a GitHub App instead of the older OAuth Apps flow. GitHub Apps offer fine-grained per-repository permissions, per-installation rate limits, and JWT-based server-to-server authentication. Use this variant when your product needs to act on a GitHub installation's behalf in addition to identifying the user.
This is a variant of the standard GitHub provider. The OIDC flow is identical; the difference is on the GitHub side, where you register an App instead of an OAuth App.
When to use this over the regular github provider
OAuth App (github) | GitHub App (this) | |
|---|---|---|
| Permissions | Broad scopes | Fine-grained, per-repo |
| Rate limits | 5,000/hr per user | 5,000/hr per installation |
| Server-to-server | Not supported | JWT-based |
| Webhooks | Limited | Rich events |
Setup
- Create a GitHub App at github.com/settings/apps/new. Set the callback URL to Ory's
redirect URI, enable "Request user authorization (OAuth) during installation", configure the required permissions, and generate
a
.pemkey (used for server-to-server, not by Ory). - Configure the provider via the Ory CLI with
provider: githubandid: github-app.
Server-to-server access, where your application acts as the app itself, is out of scope for the Ory provider. Your application
code mints a JWT signed with the .pem key and exchanges it at GitHub for an installation token.
Resources
- GitHub Apps documentation
- Authenticating with a GitHub App
- Reference implementation: ory/integrates/social-sign-in/github-app
