Generates a GitHub OAuth authorization URL.

Takes configuration map, state string, and optional nonce. Returns the URL that the user should be redirected to for GitHub authentication.

The configuration should include: - :client-id - GitHub OAuth App client ID - :redirect-uri - Where GitHub should redirect after authorization - :scopes - Vector of OAuth scopes (defaults to “user:email” “read:user” “read:org”) - :enterprise-url - Base URL for GitHub Enterprise (optional)

The state parameter should be a unique, unguessable string to prevent CSRF attacks.

Example:

(authorization-url
  {:client-id "abc123"
   :redirect-uri "https://app.com/callback"
   :scopes ["user:email"]}
  "random-state-value")

Exchanges an authorization code for an access token.

Makes a POST request to GitHub’s token endpoint with the authorization code received from the OAuth callback. Returns a map containing: - :access_token - The access token string - :token_type - Token type (typically “bearer”) - :scope - Space-separated string of granted scopes

Example:

(exchange-code
  {:client-id "abc123"
   :client-secret "secret"
   :redirect-uri "https://app.com/callback"}
  "code-from-github-callback")

Fetches GitHub user information using an access token.

Returns a map containing all available GitHub user data including profile, emails, and organization memberships. This data can be transformed into OIDC claims using oidc-github.claims/github->oidc-claims.

Example:

(def user-data (fetch-user "ghp_abc123"))
(def claims (claims/github->oidc-claims user-data))

Refreshes an access token using a refresh token.

Note: GitHub OAuth Apps do not support refresh tokens, so this function will throw an exception. This is provided for API completeness. If you need refresh tokens, you must use a GitHub App (not OAuth App) which has different authentication flows.