Retry the login

28a2b53b · alvachien · c7039c3c · 28a2b53b · 28a2b53b · 28a2b53b
12 changed file
--- a/auth-server-demo/pom.xml
+++ b/auth-server-demo/pom.xml
@@ -48,6 +48,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-validation</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-client</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>

--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/config/AuthorizationServerConfig.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/config/AuthorizationServerConfig.java
@@ -5,6 +5,8 @@ import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
+import com.poc.alvachien.authserverdemo.security.IdentityConfigurer;
+import com.poc.alvachien.authserverdemo.security.IdentityIdTokenCustomizer;

 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -16,15 +18,22 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
+import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
+import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
+import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;


 @Configuration(proxyBeanMethods = false)
@@ -36,24 +45,21 @@ public class AuthorizationServerConfig {
 		http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
 			.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0

-		http
-			.exceptionHandling(exceptions ->
-				exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
-			)
-			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+		// http
+		// 	.exceptionHandling(exceptions ->
+		// 		exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
+		// 	)
+		// 	.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+		http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+		http.apply(new IdentityConfigurer());

 		return http.build();
 	}

-	// @Bean
-	// public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
-	// 	return new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
-	// }
-
-	// @Bean
-	// public OAuth2AuthorizationConsentService authorizationConsentService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
-	// 	return new JdbcOAuth2AuthorizationConsentService(jdbcTemplate, registeredClientRepository);
-	// }
+	@Bean
+	public OAuth2TokenCustomizer<JwtEncodingContext> idTokenCustomizer() {
+		return new IdentityIdTokenCustomizer();
+	}

 	@Bean 
 	public JWKSource<SecurityContext> jwkSource() {
@@ -88,7 +94,6 @@ public class AuthorizationServerConfig {

 	@Bean 
 	public AuthorizationServerSettings authorizationServerSettings() {
-		return AuthorizationServerSettings.builder()
-			.build();
+		return AuthorizationServerSettings.builder().build();
 	}
 }
--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/config/SecurityConfig.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/config/SecurityConfig.java
@@ -15,6 +15,8 @@ import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
+import com.poc.alvachien.authserverdemo.security.IdentityConfigurer;
+import com.poc.alvachien.authserverdemo.security.UserRepositoryOAuth2UserHandler;
 import com.poc.alvachien.authserverdemo.service.MyUserDetailsService;

 import org.springframework.context.ApplicationEventPublisher;
@@ -172,23 +174,34 @@ public class SecurityConfig {
 	
 	@Bean
 	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+		// http
+		// 	.authorizeHttpRequests(authorize ->
+		// 		authorize.anyRequest().authenticated()
+		// 	)
+		// 	.formLogin(withDefaults());
+		// 	// // Try to customize the login page
+		// 	// .formLogin(
+		// 	// 	form -> form.loginPage("/login").successForwardUrl("/")
+		// 	// )
+		// 	// .logout(
+		// 	// 	form -> form.logoutUrl("/logout").permitAll()
+		// 	// )
+		// 	// .authorizeHttpRequests(
+		// 	// 	requests -> requests.requestMatchers("/", "/home", "/login**", "/static/**", "/logout**").permitAll()
+		// 	// 						.anyRequest().authenticated()
+        //     // );
+		// 	;
+		IdentityConfigurer federatedIdentityConfigurer = new IdentityConfigurer()
+			.oauth2UserHandler(new UserRepositoryOAuth2UserHandler());
+
 		http
 			.authorizeHttpRequests(authorize ->
-				authorize.anyRequest().authenticated()
+				authorize
+					.requestMatchers("/", "/home", "/login**", "/static/**").permitAll()
+					.anyRequest().authenticated()
 			)
-			.formLogin(withDefaults());
-			// // Try to customize the login page
-			// .formLogin(
-			// 	form -> form.loginPage("/login").successForwardUrl("/")
-			// )
-			// .logout(
-			// 	form -> form.logoutUrl("/logout").permitAll()
-			// )
-			// .authorizeHttpRequests(
-			// 	requests -> requests.requestMatchers("/", "/home", "/login**", "/static/**", "/logout**").permitAll()
-			// 						.anyRequest().authenticated()
-            // );
-			;
+			.formLogin(Customizer.withDefaults())
+			.apply(federatedIdentityConfigurer);
 		
 		return http.build();
 	}

--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/controller/LoginController.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/controller/LoginController.java
+package com.poc.alvachien.authserverdemo.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class LoginController {
+
+	@GetMapping("/login")
+	public String login() {
+		return "login";
+	}
+}
--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/controller/MainController.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/controller/MainController.java
@@ -39,12 +39,6 @@ public class MainController {
        return "home";
    }
    
-    @GetMapping("/login")
-    public String loginForm(Model model) {
-        log.info("Requiring /login");
-        return "login";
-    }
-
    // @GetMapping("/login")
    // public String loginForm(Model model) {
    //     log.info("Requiring /login");

--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityAuthenticationEntryPoint.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityAuthenticationEntryPoint.java
+package com.poc.alvachien.authserverdemo.security;
+
+import java.io.IOException;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.http.server.ServletServerHttpRequest;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.DefaultRedirectStrategy;
+import org.springframework.security.web.RedirectStrategy;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.web.util.UriComponentsBuilder;
+
+
+public class IdentityAuthenticationEntryPoint  implements AuthenticationEntryPoint {
+
+	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
+
+	private String authorizationRequestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI
+			+ "/{registrationId}";
+
+	private final AuthenticationEntryPoint delegate;
+
+	private final ClientRegistrationRepository clientRegistrationRepository;
+
+	public IdentityAuthenticationEntryPoint(String loginPageUrl, ClientRegistrationRepository clientRegistrationRepository) {
+		this.delegate = new LoginUrlAuthenticationEntryPoint(loginPageUrl);
+		this.clientRegistrationRepository = clientRegistrationRepository;
+	}
+
+	@Override
+	public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authenticationException) throws IOException, ServletException {
+		String idp = request.getParameter("idp");
+		if (idp != null) {
+			ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(idp);
+			if (clientRegistration != null) {
+				String redirectUri = UriComponentsBuilder.fromHttpRequest(new ServletServerHttpRequest(request))
+						.replaceQuery(null)
+						.replacePath(this.authorizationRequestUri)
+						.buildAndExpand(clientRegistration.getRegistrationId())
+						.toUriString();
+				this.redirectStrategy.sendRedirect(request, response, redirectUri);
+				return;
+			}
+		}
+
+		this.delegate.commence(request, response, authenticationException);
+	}
+
+	public void setAuthorizationRequestUri(String authorizationRequestUri) {
+		this.authorizationRequestUri = authorizationRequestUri;
+	}
+}
+
--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityAuthenticationSuccessHandler.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityAuthenticationSuccessHandler.java
+package com.poc.alvachien.authserverdemo.security;
+
+import java.io.IOException;
+import java.util.function.Consumer;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+
+
+public final class IdentityAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
+
+	private final AuthenticationSuccessHandler delegate = new SavedRequestAwareAuthenticationSuccessHandler();
+
+	private Consumer<OAuth2User> oauth2UserHandler = (user) -> {};
+
+	private Consumer<OidcUser> oidcUserHandler = (user) -> this.oauth2UserHandler.accept(user);
+
+	@Override
+	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
+		if (authentication instanceof OAuth2AuthenticationToken) {
+			if (authentication.getPrincipal() instanceof OidcUser) {
+				this.oidcUserHandler.accept((OidcUser) authentication.getPrincipal());
+			} else if (authentication.getPrincipal() instanceof OAuth2User) {
+				this.oauth2UserHandler.accept((OAuth2User) authentication.getPrincipal());
+			}
+		}
+
+		this.delegate.onAuthenticationSuccess(request, response, authentication);
+	}
+
+	public void setOAuth2UserHandler(Consumer<OAuth2User> oauth2UserHandler) {
+		this.oauth2UserHandler = oauth2UserHandler;
+	}
+
+	public void setOidcUserHandler(Consumer<OidcUser> oidcUserHandler) {
+		this.oidcUserHandler = oidcUserHandler;
+	}
+
+}
--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityConfigurer.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityConfigurer.java
+package com.poc.alvachien.authserverdemo.security;
+
+import java.util.function.Consumer;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.util.Assert;
+
+public class IdentityConfigurer extends AbstractHttpConfigurer<IdentityConfigurer, HttpSecurity> {
+
+	private String loginPageUrl = "/login";
+
+	private String authorizationRequestUri;
+
+	private Consumer<OAuth2User> oauth2UserHandler;
+
+	private Consumer<OidcUser> oidcUserHandler;
+
+	/**
+	 * @param loginPageUrl The URL of the login page, defaults to {@code "/login"}
+	 * @return This configurer for additional configuration
+	 */
+	public IdentityConfigurer loginPageUrl(String loginPageUrl) {
+		Assert.hasText(loginPageUrl, "loginPageUrl cannot be empty");
+		this.loginPageUrl = loginPageUrl;
+		return this;
+	}
+
+	/**
+	 * @param authorizationRequestUri The authorization request URI for initiating
+	 * the login flow with an external IDP, defaults to {@code
+	 * "/oauth2/authorization/{registrationId}"}
+	 * @return This configurer for additional configuration
+	 */
+	public IdentityConfigurer authorizationRequestUri(String authorizationRequestUri) {
+		Assert.hasText(authorizationRequestUri, "authorizationRequestUri cannot be empty");
+		this.authorizationRequestUri = authorizationRequestUri;
+		return this;
+	}
+
+	/**
+	 * @param oauth2UserHandler The {@link Consumer} for performing JIT account provisioning
+	 * with an OAuth 2.0 IDP
+	 * @return This configurer for additional configuration
+	 */
+	public IdentityConfigurer oauth2UserHandler(Consumer<OAuth2User> oauth2UserHandler) {
+		Assert.notNull(oauth2UserHandler, "oauth2UserHandler cannot be null");
+		this.oauth2UserHandler = oauth2UserHandler;
+		return this;
+	}
+
+	/**
+	 * @param oidcUserHandler The {@link Consumer} for performing JIT account provisioning
+	 * with an OpenID Connect 1.0 IDP
+	 * @return This configurer for additional configuration
+	 */
+	public IdentityConfigurer oidcUserHandler(Consumer<OidcUser> oidcUserHandler) {
+		Assert.notNull(oidcUserHandler, "oidcUserHandler cannot be null");
+		this.oidcUserHandler = oidcUserHandler;
+		return this;
+	}
+
+	// @formatter:off
+	@Override
+	public void init(HttpSecurity http) throws Exception {
+		ApplicationContext applicationContext = http.getSharedObject(ApplicationContext.class);
+		ClientRegistrationRepository clientRegistrationRepository = applicationContext.getBean(ClientRegistrationRepository.class);
+		IdentityAuthenticationEntryPoint authenticationEntryPoint = new IdentityAuthenticationEntryPoint(this.loginPageUrl, clientRegistrationRepository);
+		if (this.authorizationRequestUri != null) {
+			authenticationEntryPoint.setAuthorizationRequestUri(this.authorizationRequestUri);
+		}
+
+		IdentityAuthenticationSuccessHandler authenticationSuccessHandler = new IdentityAuthenticationSuccessHandler();
+		if (this.oauth2UserHandler != null) {
+			authenticationSuccessHandler.setOAuth2UserHandler(this.oauth2UserHandler);
+		}
+		if (this.oidcUserHandler != null) {
+			authenticationSuccessHandler.setOidcUserHandler(this.oidcUserHandler);
+		}
+
+		http
+			.exceptionHandling(exceptionHandling ->
+				exceptionHandling.authenticationEntryPoint(authenticationEntryPoint)
+			)
+			.oauth2Login(oauth2Login -> {
+				oauth2Login.successHandler(authenticationSuccessHandler);
+				if (this.authorizationRequestUri != null) {
+					String baseUri = this.authorizationRequestUri.replace("/{registrationId}", "");
+					oauth2Login.authorizationEndpoint(authorizationEndpoint ->
+						authorizationEndpoint.baseUri(baseUri)
+					);
+				}
+			});
+	}
+
+}
--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityIdTokenCustomizer.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/IdentityIdTokenCustomizer.java
+package com.poc.alvachien.authserverdemo.security;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
+
+public class IdentityIdTokenCustomizer implements OAuth2TokenCustomizer<JwtEncodingContext> {
+
+    private static final Set<String> ID_TOKEN_CLAIMS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
+        IdTokenClaimNames.ISS,
+        IdTokenClaimNames.SUB,
+        IdTokenClaimNames.AUD,
+        IdTokenClaimNames.EXP,
+        IdTokenClaimNames.IAT,
+        IdTokenClaimNames.AUTH_TIME,
+        IdTokenClaimNames.NONCE,
+        IdTokenClaimNames.ACR,
+        IdTokenClaimNames.AMR,
+        IdTokenClaimNames.AZP,
+        IdTokenClaimNames.AT_HASH,
+        IdTokenClaimNames.C_HASH)));
+
+    @Override
+    public void customize(JwtEncodingContext context) {
+        if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
+            Map<String, Object> thirdPartyClaims = extractClaims(context.getPrincipal());
+            context.getClaims().claims(existingClaims -> {
+                // Remove conflicting claims set by this authorization server
+                existingClaims.keySet().forEach(thirdPartyClaims::remove);
+
+                // Remove standard id_token claims that could cause problems with clients
+                ID_TOKEN_CLAIMS.forEach(thirdPartyClaims::remove);
+
+                // Add all other claims directly to id_token
+                existingClaims.putAll(thirdPartyClaims);
+            });
+        }
+    }
+
+    private Map<String, Object> extractClaims(Authentication principal) {
+        Map<String, Object> claims;
+        if (principal.getPrincipal() instanceof OidcUser) {
+            OidcUser oidcUser = (OidcUser) principal.getPrincipal();
+            OidcIdToken idToken = oidcUser.getIdToken();
+            claims = idToken.getClaims();
+        } else if (principal.getPrincipal() instanceof OAuth2User) {
+            OAuth2User oauth2User = (OAuth2User) principal.getPrincipal();
+            claims = oauth2User.getAttributes();
+        } else {
+            claims = Collections.emptyMap();
+        }
+
+        return new HashMap<>(claims);
+    }
+
+}
--- a/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/UserRepositoryOAuth2UserHandler.java
+++ b/auth-server-demo/src/main/java/com/poc/alvachien/authserverdemo/security/UserRepositoryOAuth2UserHandler.java
+package com.poc.alvachien.authserverdemo.security;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Consumer;
+
+import org.springframework.security.oauth2.core.user.OAuth2User;
+
+public final class UserRepositoryOAuth2UserHandler implements Consumer<OAuth2User> {
+
+	private final UserRepository userRepository = new UserRepository();
+
+	@Override
+	public void accept(OAuth2User user) {
+		// Capture user in a local data store on first authentication
+		if (this.userRepository.findByName(user.getName()) == null) {
+			System.out.println("Saving first-time user: name=" + user.getName() + ", claims=" + user.getAttributes() + ", authorities=" + user.getAuthorities());
+			this.userRepository.save(user);
+		}
+	}
+
+	static class UserRepository {
+
+		private final Map<String, OAuth2User> userCache = new ConcurrentHashMap<>();
+
+		public OAuth2User findByName(String name) {
+			return this.userCache.get(name);
+		}
+
+		public void save(OAuth2User oauth2User) {
+			this.userCache.put(oauth2User.getName(), oauth2User);
+		}
+
+	}
+}
+
--- a/auth-server-demo/src/main/resources/application.properties
+++ b/auth-server-demo/src/main/resources/application.properties
@@ -5,6 +5,12 @@ spring.mvc.static-path-pattern=/static/**
 #thymeleaf
 spring.thymeleaf.cache=false

+spring.security.oauth2.client.registration.github-idp.provider=github
+spring.security.oauth2.client.registration.github-idp.client-id=test
+spring.security.oauth2.client.registration.github-idp.client-secret=test
+spring.security.oauth2.client.registration.github-idp.scope.user=email
+spring.security.oauth2.client.registration.github-idp.client-name=Sign in with GitHub
+spring.security.oauth2.client.registration.provider.github.user-name-attribute=login

 spring.jpa.hibernate.ddl-auto=update
 spring.datasource.url=jdbc:sqlserver://localhost;encrypt=true;database=authdemo;integratedSecurity=true;trustServerCertificate=true

--- a/auth-server-demo/src/main/resources/templates/login.html
+++ b/auth-server-demo/src/main/resources/templates/login.html
@@ -31,6 +31,12 @@
        </div>

        <button class="w-100 btn btn-lg btn-primary" type="submit">Sign in</button>
+  
+        <a class="btn btn-light btn-block bg-white" href="/oauth2/authorization/github-idp" role="link" style="text-transform: none;">
+          <img width="24" style="margin-right: 5px;" alt="Sign in with GitHub" src="https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png" />
+          Sign in with Github
+        </a>
+
      </form>

      <!-- <form method="post" role="form" th:action="@{/login}" th:object="${login}">