After setting up Github as an IdP, I am not receiving the user’s email address from Github, despite requesting the user:email scope.
Per the Github IdP documentation (Social Login | Okta Developer) I am setting the username to:
idpuser.email == null ? idpuser.externalId + '@github.example.com' : idpuser.email
Also per the docs, I am mapping the Okta user’s email field to:
appuser.email == null ? appuser.externalId + '@github.example.com' : appuser.email
Both of these end up being e.g. 123456@github.example.com
Is there a way I could see all of the fields available in idpuser or appuser? Maybe there is a different one I should use?
Our documentation mentions that not all users will have an actual email sent in the email claim, which is why the expression from our documentation can be used to construct a placeholder email.
GitHub doesn’t always provide email addresses for users that it authenticates, such as when the GitHub setting Keep email addresses private is enabled. However, Okta requires an email address for its users to be able to sign in. You can support users who don’t have email addresses by using information from GitHub to generate email addresses for them.
If you’re testing with your own Github account, you should be able to confirm if you have this setting turned on yourself under Settings → Emails
In spite of that setting, it is possible to retrieve a user’s email address via the Github API, using the Github OAuth token that Okta would have access to during the OAuth flow. In other words, the only reason this field would be empty in the end is because Okta is not making a Github API request that specifically retrieves it.
edit: example https://stackoverflow.com/a/69825519
The only requests Okta will make to Github are to request the tokens and to read the user’s profile information. If their email information is available, but at a different endpoint, I don’t see evidence that we have designed our implementation to call it
