-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github broken in 7.3.0 #1724
Comments
Also got same issue |
indeed, 7.3.0 does not work but 7.2.1 does. |
I quickly checked this morning, and it seems to be coming from around The scope that was asked before was only
but now, OIDC-like scopes are requested instead (
|
For now, it seems it can be fixed by explicitly configuring the
|
We broke the defaulting of provider configuration in 7.3.0 so a lot of options are needed to be set manually for now. Looking to fix this for the next release, though it's good practice to set them explicitly anyway so bugs like this don't break your config |
It would be great to document the right settings somewhere then, I haven't try but I'm not sure the proxy works with a different set of scopes (or at least, if this one for GitHub |
Setting the scope to |
scope to |
I've restricted access to a specific team within a specific org. Setting scope to |
I've checked the current implementation and indeed the issue is described quite well in the #1903 bug ticket. Unfortunately, when not setting the scope to "user:email read:org" inside your config file, the default scope will be set to "openid email profile" which are not recognized by Github. Therefore the access does not work as your tokens will be created with insufficient permissions. As of now, it is necessary to set the scope manually in your config file: |
PR with fix: #1927 |
Hello, Is this resolved in 7.4.0? |
No the fix will be part of the next release. Until then you will have to hardcode the default scope for GitHub. Changelog: |
Both in Adminer & Logging templates. See oauth2-proxy/oauth2-proxy#1724
Neither |
@chunjiw could you provide some more detail how you configure your environment and maybe share the code snippets of your configuration files? |
@tuunit Sure! - args:
- --provider=github
- --email-domain=*
- --cookie-domain=.int.company.com
- --whitelist-domain=.int.company.com
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 The ingress to oauth2-proxy spec: spec:
rules:
- host: "auth.int.company.com" The ingress to my application: metadata:
name: app-name
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://auth.int.company.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://auth.int.company.com/oauth2/start?rd=https://app.int.company.com" I largely followed a Digital Ocean tutorial. This is working, until I change to v7.3.0 or v7.4.0, even with |
@chunjiw the issue with v7.3.0 and v7.4.0 is that the scope is always overwritten with the default oidc scope if it has not been set via a config file. Therefore, if you want to use v7.3/4.0 in Kubernetes you will have to create a |
I see, thank you for your explanation! I will try it out later. |
I confirm that adding |
Prefacing this comment: This is a great project and I appreciate all the work going into it! It's been so useful for me. ... but something like this should really really be noted somewhere more visible. I'm coming from a very old oauth2_proxy version and spent hours trying to figure out what was wrong with my config, hitting github rate limits due to this, etc, only to finally find this issue... Just sayin' if there is a (rather major) problem with something for well over a year, maybe add a little blurb in the docs somewhere? |
I understand this problem was solved in #1927 |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
I think this is still a problem in the released version. |
Hi @tedder, as describe here, the fix is unfortunately not yet released and 7.4.0 is also broken. The fix is on master but in no release as of now: PR with fix: #1927 |
Can we please have a release with the fix in it? |
I have created OAuth2 Proxy as a deployment containers:
- image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.0 Like everyone else, was struggling to get get it working and getting the same 404 Error, but for repositories, until I gave it the correct scope. env:
- name: OAUTH2_PROXY_SCOPE
value: "read:user user:email repo" Since we didn't want to add external users to our Org and only as collaborators to a repository - this worked for me on GH's Scope doc page was helpful - although I do with the As for my args, in case it's helpful: args:
- --http-address=0.0.0.0:4180
- --upstream=file:///dev/null
- --redirect-url=https://$host/oauth2/callback
- --provider=github
- --email-domain=*
- --github-repo=OrgName/RepoName
- --code-challenge-method=S256
- --cookie-secure=true
- --cookie-refresh=1h
- --cookie-expire=24h
- --cookie-name=proxy-cookie-name
- --auth-logging=true where Hopefully this helps 🤞 |
the issue was fixed with version 7.5.1 |
I'll have to check if we need to add additional logic to add the correct scope for repositories when using the repository restriction flag. If so that is a different issue. |
works in 7.2.1
[oauthproxy.go:775] Error creating session during OAuth2 callback: unexpected status "404": {"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user"}
The text was updated successfully, but these errors were encountered: