in Software Development

OWIN OAuth provider for GitHub

Turns out I had some extra time on my hands – or maybe I am just procrastinating.  Either way I have extended the authentication providers for OWIN which I wrote about yesterday to now also include a provider for GitHub.  Not sure how much this will be used, but sometimes I like to write code just because I can.  The mere act of coding gives me pleasure :)  In any case, if you are developing an application which is used by developers then this may come in handy.

If you are not familiar with ASP.NET Identity I suggest you start of by reading the article entitled Create an ASP.NET MVC 5 App with Facebook and Google OAuth2 and OpenID Sign-on on the ASP.NET website.

First of all you will need to install the NuGet package, so:


Registering application in GitHub

In order to use GitHub as an OAuth provider you will first need to register an application in GitHub.

Log in to GitHub and click on the Account Settings icon next to your profile


On the navigation bar select Applications and click on Register new Application.


Complete the information for your application.  Please note however that your will need to supply the correct Authorization Callback URL.  To do that your will need to specify the root URL for your application with the path signin-github appended to it, as displayed in the screenshot below.  It is important that you specify the correct URL as GitHub will validate the callback URL it receives from the OWIN authentication middleware against what you specified when you registered your application.


Once you have completed the required fields you can click on Register Application.  GitHub will display the summary of the application, along with the Client ID and Client Secret.  Take note of these two fields as you will need them to register the GitHub authentication provider below.


 Register the provider

To register the provider in your MVC 5 application you would have had to install the NuGet package already.  The next step is to head on over to App_Start\Startup.Auth.cs file and make sure that you include the namespace for the provider.

And finally register the provider in the ConfigureAuth method using the Client ID and Client Secret supplied by GitHub:

The code

The code for the provider is located at  If you experience any issues, please fork, fix and send me a pull request.  Also feel free to use the same repository if you would like to add providers for other services.  Anyone up for adding VKontakte or Sina Weibo?


  • Toby Evans

    Hey Jerrie,

    you saved my brain – I’ve been trying to get OpenAM OAuth working from MVC for about a month, it finally makes sense!

    I’ve built a crude OpenAM provider, but am I right in thinking there is a *lot* of code duplication in the providers in GitHub?

    • Jerrie Pelser

      Hi Toby,

      Yes, there is a lot of duplication across the code for the various providers. All of the ones I have worked with so far is just different enough that I think it will be difficult to base them all on specific base class with shared functionality. Even if you look at the source code for the standard ones which are provided by MS, you will see that they also did not bother to try and isolate shared code into a standard base class.

      Maybe someone can do it, but from what I have seen so far it would not be worth the effort, I think.

      • Toby Evans

        Fair enough, I’ll have a go, but what is bothering me at the moment is how to persist my access and refresh tokens. I get my JSON response back from OpenAM, and I want to use them for accessing an API, not just for logging into my local sit e using that external ID. I’ve tried adding the tokens as claims, but they seem to get lost, only the login name persists and ASP identity takes over …

        • Jerrie Pelser

          Toby, please reference this blog post in which I describe exactly how to persist the OAuth tokens:

          • Toby Evans

            brilliant, thanks. Had to edit it slightly, but that is exactly what I was looking for to get started, thanks

          • Toby Evans

            Hey Jerrie,

            that’s working a charm now, I’m really pleased. But can I ask another question please? I’m using OpenAM as my OAuth server, so the access token is time limited. I’m going to be using it as a Bearer token to access an API, and at some point the token is going to expire. When it does, I’m intending on using the refresh token. I know how to do all these things in DotNetOpenAuth, but is there going to be a way to integrate all this into the OWIN provider as above?

            Or is it the case that this method is just for authenticating the user externally, then any token refresh has to be manually done?


          • Jerrie Pelser

            Hi Toby,

            Yeah I do not think that the refresh of the token is the responsibility of the authentication provider, as its only purpose is authenticating the user. If your token needs refreshing periodically then you will need to do it manually.