Feature: Add GitHub groups (orgs/teams) support #2196
Feature: Add GitHub groups (orgs/teams) support #2196JoelSpeed merged 12 commits intooauth2-proxy:masterfrom
Conversation
f87a1a7 to
a9c31a5
Compare
|
@JoelSpeed new PR for #1928 @hoax I would highly appreciate a code review from your side and especially check that I didn't miss anything when rebasing our commits. |
|
@tuunit, looks good, but did not test it yet |
tuunit
left a comment
There was a problem hiding this comment.
Reminder to myself: Rebase and fix merge conflicts
50fbfab to
e09b152
Compare
|
@kvanzuijlen can you give this a review? :) |
e09b152 to
6dbbf1b
Compare
7c5248a to
8d2c360
Compare
0599724 to
dbe7a0c
Compare
…er instances with different domain
* add nightly build and push * add date based nightly build tags * only keep single multiarch image build and push * add changelog * add images to internal docs static files * add docu for nightly builds * remove unnecessary spaces * update nightly repository
…oxy#1949) * Issue 978: Fix Custom cookie name breaks redis for session (see oauth2-proxy#978) * Issue 978: Fix Custom cookie name breaks redis for session (see oauth2-proxy#978) * Update CHANGELOG.md * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Update CHANGELOG.md --------- Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Support http.AllowQuerySemicolons * Docs * Make it clear we are overriding the handler * Update documentation for allow-query-semicolons * Fix changelog format * Fix formatting --------- Co-authored-by: MickMake <github@mickmake.com>
…er instances with different domain
dbe7a0c to
8a2d360
Compare
JoelSpeed
left a comment
There was a problem hiding this comment.
Is this implemented in a backwards compatible way?
Nope, it blew away our production. |
I've tested it with 3 different scenarios and another user tested the feature branch as well so I'm a bit lost what happened on your end. Can you please share your config and which errors you encountered? |
|
Hi,
Error was: |
I had the same problem. It's a breaking change if/when a user specified the scope. For example, I was using this flag |
|
@etho201 thanks for sharing. Indeed that is the issue we will update it in the CHANGELOG and I'll talk to @JoelSpeed if we can get a bugfix released. |
|
@etho201 @jacek-jablonski |
No problem at all. Thanks for the great work 🙂 |
Motivation and Context
GitHub's hierarchy is structured by organization and teams. As of now, in version 7.4.0 this hierarchy can only be used for restricting access but the details about a users membership are not passed through to the underlying applications behind the oauth2-proxy. Therefore this PRs aim is to extend the GitHub provider with the functionality to expose the users membership. As the session storage already provides the functionality to store "groups" and forward them as headers, this is a valid feature / extension and in line with other providers.
Description of the implementation details
I refactored the GitHub provider quite extensively. To ensure backwards compatibility all the restrictions and checks are done as before. The only logical change is that instead of just fetching the org and team information when an organisation or team restriction is set, the membership information is always fetched from GitHub and added to the sessions group storage.
How Has This Been Tested?
All existing GitHub tests have been corrected to accommodate the new code structure. Manual testing has been done and I already use this version of the implementation in a production environment.
Checklist: