Where I have an Okta flask sample app running at localhost:8080.
If the GitHub user sets email visibility to private, then idpuser.email is returned as null. I tried the fix as mentioned here, however idpuser.id and appuser.id are also being returned as null. I know this because the user that gets created in my directly is instantiated with a null@github.example.com email address.
I found that turning on profile sourcing returns the Okta user ID in appuser.id which I find unexpected. I would expect appuser.id == idpuser.id. Is my assumption incorrect?
Even for users with email visibility set to public, I am not able to retrieve idpuser.id which is preventing me from linking GitHub users to Okta users on login using the GitHub UUID. How can I correctly retrieve idpuser.id for a Github user? Thanks in advance.
In addition I have a mapping at the bottom, to retrieve the appuser.id separately in a custom attribute.
Since you got it to work, I retried it and had the following results:
If profile sourcing is turned off for IDP, it can not retrieve appuser.id and users are instantiated with email as null@github.example.com.
If profile sourcing is on, users get instantiated with some email.
However, I can still not link users based on idpuser.id. Could you try to login for the first time via a Github user, change your name on Github and login again, and see if Okta links the Github user to the same Okta user? In my case it creates a new user.
I believe the appuser.id being returned (0ua4i07vhjXfT6G615d7) is an Okta ID and not a Github ID. As displayed on the screenshot above, for the same Github user two different appuser.id were retrieved. What I’m looking for is a construct similar to Google’s appuser.externalID which is unique for a Google account.
Could you please tell me if any of these results are expected? Furthermore, I realize that Github IDP support is still in early release, is there any timeline to when it will be fully published, similar to Google? I found Google IDP support to be exactly what I wanted.
Want to make sure I understand. So now you are able to get the user id, but after changing an attribute on the user in GitHub (or even if you don’t change an attribute in GH?) and log in again, a new user is created instead of linking the existing user?
For turning profile sourcing on/off, are you referring to this option in JIT Settings? For others reading this, JIT stands for “Just In Time” and refers to the process of creating a user when they log in / sign up for the first time if no user already exists.
I do not have this box checked and I was still able to get an id from GitHub.
Clarification: I am able to get A user ID. I am positive that this is the Okta ID of the user that gets created (JIT provisioned) and not the Github user UUID (Which I retrieved using Github API). The two IDs do not match.
but after changing an attribute on the user in GitHub (or even if you don’t change an attribute in GH?) and log in again, a new user is created instead of linking the existing user?
That is correct. Clarification: This only happens when the email for the user is retrieved as NULL from Github. The IDP to Okta user matching expression I’m using in the IDP settings is: idpuser.email == null ? idpuser.id + '@github.example.com' : idpuser.email
Which leads me to believe idpuser.id is not being retrieved correctly.
For turning profile sourcing on/off, are you referring to this option in JIT Settings?
Yes I am.
I do not have this box checked and I was still able to get an id from GitHub.
That is very interesting. Would it be possible for you to test out the following:
Add a custom attribute to your Okta user profile (call it externalId) and map Github user ID to it in Github IDP Profile editor. For eg.
Remove the public email from your Github user. This should prevent Okta from retrieving the email.
Log in using this user for the first time. Please provide a screenshot of what the Okta user profile looks like (with the custom attribute included).
Change the name of the user on Github and log in using the same user. (The reason we made email private is so that Okta doesn’t map based on the email address, we want to force it to use idpuser.id). Could you revert back if the same user got logged in, and provide the screenshot of the new user if it got created?
Thanks for the reply. On a second try, I was able to confirm your findings (about the id). I think I was accidentally looking at previous test data. Didn’t get to try the second login yet, but will look into the id issue and let you know what I find.