| title | Set up sign-up and sign-in with a GitHub account |
|---|---|
| titleSuffix | Azure AD B2C |
| description | Provide sign-up and sign-in to customers with GitHub accounts in your applications using Azure Active Directory B2C. |
| author | garrodonnell |
| manager | CelesteDG |
| ms.service | azure-active-directory |
| ms.topic | how-to |
| ms.date | 03/10/2022 |
| ms.author | godonnell |
| ms.subservice | b2c |
| zone_pivot_groups | b2c-policy-type |
[!INCLUDE active-directory-b2c-end-of-sale-notice-b]
[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]
::: zone pivot="b2c-user-flow"
[!INCLUDE active-directory-b2c-public-preview]
::: zone-end
::: zone pivot="b2c-custom-policy"
Important
Starting May 2021, GitHub announced a change that impacts your Azure AD B2C custom policy federation. Due to the change, add <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item> metadata to your GitHub technical profile. For more information, see Deprecating API authentication through query parameters.
::: zone-end
[!INCLUDE active-directory-b2c-customization-prerequisites]
To enable sign-in with a GitHub account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in GitHub Developer portal. For more information, see Creating an OAuth App. If you don't already have a GitHub account, you can sign up at https://www.github.com/.
- Sign in to the GitHub Developer with your GitHub credentials.
- Select OAuth Apps and then select New OAuth App.
- Enter an Application name and your Homepage URL.
- For the Authorization callback URL, enter
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enterhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replaceyour-domain-namewith your custom domain, andyour-tenant-namewith the name of your tenant. Use all lowercase letters when entering your tenant name even if the tenant is defined with uppercase letters in Azure AD B2C. - Click Register application.
- Copy the values of Client ID and Client Secret. You need both to add the identity provider to your tenant.
::: zone pivot="b2c-user-flow"
- Sign in to the Azure portal with an account that has at least External Identity Provider Administrator privileges.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
- Select Identity providers, then select GitHub (Preview).
- Enter a Name. For example, GitHub.
- For the Client ID, enter the Client ID of the GitHub application that you created earlier.
- For the Client secret, enter the Client Secret that you recorded.
- Select Save.
At this point, the GitHub identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the GitHub identity provider to a user flow:
- In your Azure AD B2C tenant, select User flows.
- Click the user flow that you want to add the GitHub identity provider.
- Under the Social identity providers, select GitHub.
- Select Save.
- To test your policy, select Run user flow.
- For Application, select the web application named testapp1 that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run user flow button.
- From the sign-up or sign-in page, select GitHub to sign in with GitHub account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end
::: zone pivot="b2c-custom-policy"
You need to store the client secret that you previously recorded in your Azure AD B2C tenant.
- Sign in to the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
- On the Overview page, select Identity Experience Framework.
- Select Policy Keys and then select Add.
- For Options, choose
Manual. - Enter a Name for the policy key. For example,
GitHubSecret. The prefixB2C_1A_is added automatically to the name of your key. - In Secret, enter your client secret that you previously recorded.
- For Key usage, select
Signature. - Click Create.
To enable users to sign in using a GitHub account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
You can define a GitHub account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy.
-
Open the TrustFrameworkExtensions.xml.
-
Find the ClaimsProviders element. If it does not exist, add it under the root element.
-
Add a new ClaimsProvider as follows:
<ClaimsProvider> <Domain>github.com</Domain> <DisplayName>GitHub</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="GitHub-OAuth2"> <DisplayName>GitHub</DisplayName> <Protocol Name="OAuth2" /> <Metadata> <Item Key="ProviderName">github.com</Item> <Item Key="authorization_endpoint">https://github.com/login/oauth/authorize</Item> <Item Key="AccessTokenEndpoint">https://github.com/login/oauth/access_token</Item> <Item Key="ClaimsEndpoint">https://api.github.com/user</Item> <Item Key="HttpBinding">GET</Item> <Item Key="scope">read:user user:email</Item> <Item Key="UsePolicyInRedirectUri">0</Item> <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item> <Item Key="UserAgentForClaimsExchange">CPIM-Basic/{tenant}/{policy}</Item> <!-- Update the Client ID below to the Application ID --> <Item Key="client_id">Your GitHub application ID</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_GitHubSecret"/> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /> <OutputClaim ClaimTypeReferenceId="numericUserId" PartnerClaimType="id" /> <OutputClaim ClaimTypeReferenceId="issuerUserId" /> <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="github.com" AlwaysUseDefaultValue="true" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateIssuerUserId" /> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/> <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
-
Set client_id to the application ID from the application registration.
-
Save the file.
The GitHub technical profile requires the CreateIssuerUserId claim transformations to be added to the list of ClaimsTransformations. If you don't have a ClaimsTransformations element defined in your file, add the parent XML elements as shown below. The claims transformations also need a new claim type defined named numericUserId.
- Search for the BuildingBlocks element. If the element doesn't exist, add it.
- Locate the ClaimsSchema element. If the element doesn't exist, add it.
- Add the numericUserId claim to the ClaimsSchema element.
- Locate the ClaimsTransformations element. If the element doesn't exist, add it.
- Add the CreateIssuerUserId claims transformations to the ClaimsTransformations element.
<BuildingBlocks>
<ClaimsSchema>
<ClaimType Id="numericUserId">
<DisplayName>Numeric user Identifier</DisplayName>
<DataType>long</DataType>
</ClaimType>
</ClaimsSchema>
<ClaimsTransformations>
<ClaimsTransformation Id="CreateIssuerUserId" TransformationMethod="ConvertNumberToStringClaim">
<InputClaims>
<InputClaim ClaimTypeReferenceId="numericUserId" TransformationClaimType="inputClaim" />
</InputClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" TransformationClaimType="outputClaim" />
</OutputClaims>
</ClaimsTransformation>
</ClaimsTransformations>
</BuildingBlocks>[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="GitHubExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="GitHubExchange" TechnicalProfileReferenceId="GitHub-OAuth2" />
</ClaimsExchanges>
</OrchestrationStep>[!INCLUDE active-directory-b2c-configure-relying-party-policy]
- Select your relying party policy, for example
B2C_1A_signup_signin. - For Application, select a web application that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run now button.
- From the sign-up or sign-in page, select GitHub to sign in with GitHub account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
- Learn how to pass GitHub token to your application.
- Check out the GitHub federation Live demo, and how to pass GitHub access token Live demo
::: zone-end