AuthServer
GitHub OIDC
Configure GitHub OAuth social login for SqlOS AuthServer.
Use this page when you need the exact GitHub provider settings for the SqlOS AuthServer dashboard, admin API, or startup seed.
The built-in GitHub provider is managed from the same SqlOS Social Login/OIDC screen as Google, Microsoft, Apple, and custom OIDC providers. GitHub does not use OIDC discovery or ID tokens in SqlOS; SqlOS exchanges the OAuth code and then calls GitHub profile and email APIs.
Register the SqlOS provider callback URL as the GitHub OAuth App Authorization callback URL.
Default production form:
https://your-app.example.com/sqlos/auth/oidc/callbackDefault local form:
http://localhost:5062/sqlos/auth/oidc/callbackIf AuthServer.BasePath is customized, use:
{AuthServer.PublicOrigin}{AuthServer.BasePath}/oidc/callbackThe dashboard at /sqlos/admin/auth/oidc shows the exact callback URI for the current host and base path.
GitHub OAuth Apps have a single authorization callback URL. Create separate OAuth Apps for local, staging, and production when each environment has a different callback URL.
/sqlos/admin/auth/oidc.GitHubDefault scopes when left empty: read:user, user:email.
Seed the connection from AddSqlOS when you want fresh databases and preview environments to come up with GitHub login already configured:
var publicOrigin = builder.Configuration["SqlOS:PublicOrigin"]!;
builder.AddSqlOS<AppDbContext>(options =>
{
options.AuthServer.PublicOrigin = publicOrigin;
options.AuthServer.SeedGitHubConnection(
clientId: builder.Configuration["SqlOS:Oidc:GitHub:ClientId"]!,
clientSecret: builder.Configuration["SqlOS:Oidc:GitHub:ClientSecret"]!,
$"{publicOrigin}/sqlos/auth/oidc/callback");
});SeedGitHubConnection creates a SqlOSOidcConnection with:
| Field | Value |
|---|---|
| Provider type | GitHub |
| Display name | GitHub |
| Protocol | OAuthProfile |
| Authorization endpoint | https://github.com/login/oauth/authorize |
| Token endpoint | https://github.com/login/oauth/access_token |
| Profile endpoints | https://api.github.com/user and https://api.github.com/user/emails |
| Default scopes | read:user, user:email |
| Client auth method | ClientSecretPost |
curl -X POST http://localhost:5062/sqlos/admin/auth/api/oidc-connections \
-H "Content-Type: application/json" \
-d '{
"providerType": "github",
"displayName": "GitHub",
"clientId": "YOUR_GITHUB_CLIENT_ID",
"clientSecret": "YOUR_GITHUB_CLIENT_SECRET",
"allowedCallbackUris": [
"http://localhost:5062/sqlos/auth/oidc/callback"
]
}'Enable the connection:
curl -X POST http://localhost:5062/sqlos/admin/auth/api/oidc-connections/{id}/enablescope=read:user user:email./sqlos/auth/oidc/callback./user for the stable numeric GitHub user id and display profile./user/emails and requires a verified primary email address.| Error | Fix |
|---|---|
| GitHub says the callback URL is incorrect | Register the exact callback URI shown in the SqlOS dashboard. |
GitHub did not return a verified primary email address. | Ask the user to verify a primary email address in GitHub. |
| GitHub button is missing | Enable the connection and confirm /sqlos/auth/oidc/providers returns the GitHub provider. |
| Callback uses the wrong host | Set AuthServer.PublicOrigin to the public origin of the deployed app. |