The example below is based on Moodle but similar will apply to any open OpenID Connect (OIDC) Relying Party. Moodle URL used here as example is https://test.pycert.org. Replace it with your installation URL.
Login to github and register new oauth app.
- Application name can be anything you want
- Homepage URL is your Moodle URL, i.e. https://test.pycert.org
- Authorization callback URL is your Moodle URL + /admin/oauth2callback.php, i.e. https://test.pycert.org/admin/oauth2callback.php
From the next page note:
- Client ID
- Client secret (Generate a new client secret)
Go to Moodle, login as admin. Under: Site administration -> Authentication -> Manage authentication (https://test.pycert.org/admin/settings.php?section=manageauths) enable OAuth2.
Go to Site administration -> Server -> OAuth 2 services and click on “Custom”.
- Name - anything you want, i.e. github.
- Client ID - copied from github, from your note above.
- Client secret - like above.
- Authenticate token requests via HTTP headers - set to true.
- Service base URL - https://github.com
- Logo URL - https://github.com/favicon.ico
- This service will be used - Login page only
- Name displayed on the login page - anything you want, i.e. github.
- Scopes included in a login request - user:email
- Scopes included in a login request for offline access - user:email
- Additional parameters included in a login request - leave empty.
- Additional parameters included in a login request for offline access - leave empty.
- Login domains - leave empty.
- Require email verification - leave checked (true).
After submit, on the admin/tool/oauth2/issuers.php page click “Configure endpoints” icon. Add following endpoints (Name, URL):
- authorization_endpoint, https://github.com/login/oauth/authorize
- token_endpoint, https://github.com/login/oauth/access_token
- userinfo_endpoint, https://api.github.com/user
Logout (or use another browser i.e. in incognito mode) and try to login to your Moodle site using github account.
If you receive an error:
The user information returned did not contain a username and email address. The OAuth 2 service may be configured incorrectly.
It means that your emails are kept private in github settings (setting “Keep my email addresses private”). The email is not passed from github to Moodle during the OAuth workflow. And since Moodle requires login & email address at the very least when creating the account, it fails. One way to fix it is to set “Keep my email addresses private” to false in github.
I ended up patching core Moodle and adding an extra call to https://api.github.com/user/emails to retrieve an email.