A new extension, "GitHub OAuth" is now available for download. Comments and feedback can be left here but if you discover any issues, please post it on the issue tracker.

GitHub OAuth


  1. Download the GitHub OAuth extension and upload the githuboauth folder to the extensions folder.
  2. Enable the extension by selecting GitHub OAuth in the list and choose Enable from the with-selected menu, then click Apply.
  3. Edit the application credentials and scope in the Preferences screen


After installing this extension and providing the required information you can use it by adding the GitHub Authentication event to one of your pages.

The event is triggered automatically and will redirect the user to the GitHub login page. Upon granting permission the user is redirected back to the application and the authentication token is retrieved.

A github event is added to the event XML in your page output. If the authentication is successful, the token is added as attribute.

It is advised to only use this token server-side. Based on the application scope it might provide read/write access to User information and repositories on GitHub. You can either retrieve it from the event list or access the 'tokenvalue from thegithub` session cookie in your custom events.

Would be cool to see this integrated with the Members extension

This looks awesome and solves one of the big hurdles I need to cross for a side project that's been in my head for some time. Thank you :-)

Out of interest, what are you using it for?

Maybe it is better if Members implements generic OAuth support?

@Nick: I will be using it for the symphony-dev environment. The plan is to give extension developers a personal mysql database and automated access to multiple Symphony versions on multiple php versions (see

What an awesome idea! Regarding integration with the Members extension, it probably wouldn't be too difficult. Use the extension to integrate OpenID with the Members extension as an example.

I've been trying for half an hour to get this working. I'm not sure which URLs to add in to the URL and Callback URL fields in my Github Application, and the two GitHub Redirection URLs in this extension's preferences. I can see there is a content.authorize.php in the extension, but no idea how to use it.

Could you give a very quick explanation of how it slots together please>

Yeah sure, sorry there has been a lack of documentation here, it is still in BETA.

The scheme is as follows:

  1. GitHub Authentication events causes redirect to GitHub with client_id, redirect_uri(1) and scope parameters.
  2. GitHub asks user to log in and allow access for the provided scope
  3. GitHub redirects to redirect_uri(1) with a code parameter
  4. The redirect page (1) should transform this code into a authentication token by doing a POST to GitHub including client_id, client_secret and the provide code parameters. The HTTP result of that POST contains the token. This token can be placed in a session cookie.
  5. The redirect page (1) performs a redirect to the second redirect page (2)

This extension comes with the 'GitHub Authentication' event and a authorize content page. The authorize content page can be used as redirect (1). It will accept the code parameter from GitHub and transform it into a token which is saved in a github session cookie.

If you wish to use this, use http://[hostname]/symphony/extension/githuboauth/authorize/ as your first redirect URL.

You can also decide to write your own PHP script that will transform the code into a token (for instance because you don't want to use PECL http). That is why I left the field empty.

The second redirect URL in the preferences screen should be used to define where the user will be redirected after the token has been acquired. Normally this would be your home page or the user account page.

Does this help?

You can see it working at

If you want I can give you an account for the Symphony backend for to see how it is setup.

This extension comes with the 'GitHub Authentication' event and a authorize content page. The authorize content page can be used as redirect (1)

Aha that's the bit I was missing! Lastly, what is the callback URL specific in the Github (.com) Application preferences? Is that ignored in favour of the URL passed from the extension?

Yes, that is an optional field that will be used as default value if the optional redirect_uri parameter is not provided. Currently, the GitHub OAuth extension will always add this parameter, even if you leave it empty in the preferences screen, so the GitHub(.com) value is always ignored.

I should actually fix that behavior and not add the parameter if the value is empty (and add '(optional)' in the field description on the preferences screen).

I replaced your POST code with a CURL request, but it's all working smoothly. Cheers :-)

If you share the code I will integrate it and allow users to choose between PECL http and CURL.

There is another issue you might want to think about: currently, the cookie is set with an expiration date of 2 weeks. I didn't manage to find out how long the token is valid, so the @logged-in attribute value is not reliable yet, except for the fact that someone succeeded to authenticate with GitHub within the last 2 weeks :)

I don't think they expire.

I'll fork and add that, and a couple of other changes, that I needed.

I've sent a pull request:

  • CURL support
  • output the token into param pool, useful for Dynamic XML DSs to the Github API
  • added support for logging out (clearing cookie)

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details