Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorize multiple Github organizations: #1349

Closed
wierzba3 opened this issue Aug 3, 2019 · 3 comments
Closed

Authorize multiple Github organizations: #1349

wierzba3 opened this issue Aug 3, 2019 · 3 comments

Comments

@wierzba3
Copy link

wierzba3 commented Aug 3, 2019
edited

I want to know if it is possible to authorize multiple github organizations without requiring that users set their membership status from "private" to "public" ?

I discovered that because the Github OAuth app identity can only be associated with a single GitHub organization, if you use this OAuth app in your JHub application (like below) and whitelist a different organization to the app, a user who is a member of this other organization (and not the organization that owns the OAuth app) will not be able to get authorized to JHub unless he sets his membership status of the GitHub organization from Private (the default) to Public. I assume this is because the OAuth app implicitly has the permission to read it's own organization and can see that the user is member (even if their membership is private), but it cannot read another organization's private membership status'.

Is it possible to add a permission scope to config.yaml such that the app requests to read the users organization memberships (but no other user data).

This makes for a undesirable user experience because we have to instruct users to join the github organization and then go to the organization and change their membership status from Private to Public. (And we can't use one single Github organization because we need to separate our users into multiple groups)

The authorization portion of my config.yaml:

auth:
  # ...
  github:
    callbackUrl: ...
    clientId: ...
    clientSecret: ...
    org_whitelist:
    - My-Organization1
    - My-Organization2
    - ...
  scopes:
  - read:org
  type: github
@manics
Copy link
Member

manics commented Aug 4, 2019
edited

It should be possible, unfortunately finding a working configuration may require some trial and error: #687 (comment)

Try setting either or both of

  scopes:
  - read:org
  - read:user

Existing OAuth tokens will not be changed, but you can Revoke all user tokens in your GitHub OAuth app settings.

Also check the Third-party application access policy setting on the external GitHub org, your OAuth app may need to be whitelisted by an org admin,

@consideRatio
Copy link
Member

consideRatio commented Oct 7, 2020
edited

Possibly related, just connecting these in case.

@consideRatio consideRatio mentioned this issue Oct 7, 2020
Open
34 tasks
@manics
Copy link
Member

manics commented Oct 7, 2020
edited

Shall we close this? I think this authenticator can do whatever is allowed by the available GitHub scopes. If GitHub doesn't have a scope that supports the desired combination of permissions I don't think there's anything we can do about it.

(Strictly speaking we could do something- have multiple sets of OAuth client credentials and get the user to choose the org they want to authenticate with. I think this is outside the scope of this project.)

@consideRatio consideRatio mentioned this issue Oct 24, 2020
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manics @wierzba3 @consideRatio