github broken in 7.3.0

[masterkain]

works in 7.2.1

[oauthproxy.go:775] Error creating session during OAuth2 callback: unexpected status "404": {"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/users#list-email-addresses-for-the-authenticated-user"}

[sergeyshaykhullin]

Also got same issue

[rpardini]

indeed, 7.3.0 does not work but 7.2.1 does.
using github_org config, not team or user.
seems to be related to scopes: after downgrade, GH authorization page says "would like additional permissions to... Email addresses (read-only)" -- so possibly user:email scope is not being included when used with orgs in 7.3.0.

[multani]

I quickly checked this morning, and it seems to be coming from around 1f992b3 or 82710a7 (1f992b3 doesn't build here). #1555 and/or #1560 when the provider's initialization code was refactored.

The scope that was asked before was only user:email:

https://github.com/login/oauth/authorize?approval_prompt=force&client_id=XXX&redirect_uri=http://127.0.0.1:8000/oauth2/callback&response_type=code&scope=user:email&state=YYY

but now, OIDC-like scopes are requested instead (openid email profile):

https://github.com/login/oauth/authorize?approval_prompt=force&client_id=XXX&redirect_uri=http://127.0.0.1:8000/oauth2/callback&response_type=code&scope=openid email profile&state=YYY

[multani]

For now, it seems it can be fixed by explicitly configuring the user:email scope with either:

• the configuration flag --scope="user:email"
• the environment variable OAUTH2_PROXY_SCOPE="user:email"
• or the configuration file's setting scope = "user:email"

[JoelSpeed]

We broke the defaulting of provider configuration in 7.3.0 so a lot of options are needed to be set manually for now. Looking to fix this for the next release, though it's good practice to set them explicitly anyway so bugs like this don't break your config

[multani]

though it's good practice to set them explicitly anyway so bugs like this don't break your config

It would be great to document the right settings somewhere then, I haven't try but I'm not sure the proxy works with a different set of scopes (or at least, if this one for GitHub user:email is missing) and it can be a bit hard to guess which values are supposed to be there (and I suppose they are different for every authentication providers...)

[BrynM]

Setting the scope to user:email as a workaround in the config did not work for a GH Enterprise (v3.5.5) install. I had to revert to 7.2.1 and remove that setting completely.

[kodeine]

scope to user:email did not work for me.

[jimeh]

I've restricted access to a specific team within a specific org. Setting scope to user:email read:user read:org worked for me.

[tuunit]

I've checked the current implementation and indeed the issue is described quite well in the #1903 bug ticket. Unfortunately, when not setting the scope to "user:email read:org" inside your config file, the default scope will be set to "openid email profile" which are not recognized by Github. Therefore the access does not work as your tokens will be created with insufficient permissions.

As of now, it is necessary to set the scope manually in your config file:
scope = "user:email read:org"

[tuunit]

PR with fix: #1927

[ghost]

Hello,

Is this resolved in 7.4.0?

[tuunit]

Hello,

Is this resolved in 7.4.0?

No the fix will be part of the next release. Until then you will have to hardcode the default scope for GitHub.

Changelog:
https://github.com/oauth2-proxy/oauth2-proxy/blob/master/CHANGELOG.md

[chunjiw]

Neither "user:email read:org" nor "user:email" works for me.

[tuunit]

@chunjiw could you provide some more detail how you configure your environment and maybe share the code snippets of your configuration files?

[chunjiw]

@tuunit Sure!
oauth2-proxy is installed as a deployment in a kubernetes cluster, running in a container:

        - args:
            - --provider=github
            - --email-domain=*
            - --cookie-domain=.int.company.com
            - --whitelist-domain=.int.company.com
            - --upstream=file:///dev/null
            - --http-address=0.0.0.0:4180
          image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1

The ingress to oauth2-proxy spec:

spec:
  rules:
    - host: "auth.int.company.com"

The ingress to my application:

metadata:
  name: app-name
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://auth.int.company.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://auth.int.company.com/oauth2/start?rd=https://app.int.company.com"

I largely followed a Digital Ocean tutorial.

This is working, until I change to v7.3.0 or v7.4.0, even with user:email read:org

[tuunit]

@chunjiw the issue with v7.3.0 and v7.4.0 is that the scope is always overwritten with the default oidc scope if it has not been set via a config file. Therefore, if you want to use v7.3/4.0 in Kubernetes you will have to create a ConfigMap including a oauth2-proxy config file and mount it in your deployment and replace the arguments in your deployment with the config file.

[chunjiw]

I see, thank you for your explanation! I will try it out later.

[chunjiw]

I confirm that adding user:email to config file instead of using args works without issue. Thank you!

[someburner]

Prefacing this comment: This is a great project and I appreciate all the work going into it! It's been so useful for me.

... but something like this should really really be noted somewhere more visible. I'm coming from a very old oauth2_proxy version and spent hours trying to figure out what was wrong with my config, hitting github rate limits due to this, etc, only to finally find this issue...

Just sayin' if there is a (rather major) problem with something for well over a year, maybe add a little blurb in the docs somewhere?

[batazor]

I understand this problem was solved in #1927
Maybe a new release of a new version should be released?

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[tedder]

I think this is still a problem in the released version.

[tuunit]

Hello,
Is this resolved in 7.4.0?

No the fix will be part of the next release. Until then you will have to hardcode the default scope for GitHub.

Changelog: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/CHANGELOG.md

Hi @tedder,

as describe here, the fix is unfortunately not yet released and 7.4.0 is also broken.

The fix is on master but in no release as of now:

PR with fix: #1927

[bit-herder]

Can we please have a release with the fix in it?

[BnJam]

I have created OAuth2 Proxy as a deployment

containers:
 - image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.0

Like everyone else, was struggling to get get it working and getting the same 404 Error, but for repositories, until I gave it the correct scope.

env:
- name: OAUTH2_PROXY_SCOPE
  value: "read:user user:email repo"

Since we didn't want to add external users to our Org and only as collaborators to a repository - this worked for me on v7.5.0

GH's Scope doc page was helpful - although I do with the repo scope was more restrictive.
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps

As for my args, in case it's helpful:

args:
        - --http-address=0.0.0.0:4180
        - --upstream=file:///dev/null
        - --redirect-url=https://$host/oauth2/callback
        - --provider=github
        - --email-domain=*
        - --github-repo=OrgName/RepoName
        - --code-challenge-method=S256
        - --cookie-secure=true
        - --cookie-refresh=1h
        - --cookie-expire=24h
        - --cookie-name=proxy-cookie-name
        - --auth-logging=true

where $host, OrgName/RepoName, and proxy-cookie-name are filled in with my specific values ($host is my proxy address)

Hopefully this helps 🤞

[tuunit]

the issue was fixed with version 7.5.1

[tuunit]

I have created OAuth2 Proxy as a deployment

containers:
 - image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.0

Like everyone else, was struggling to get get it working and getting the same 404 Error, but for repositories, until I gave it the correct scope.

env:
- name: OAUTH2_PROXY_SCOPE
  value: "read:user user:email repo"

Since we didn't want to add external users to our Org and only as collaborators to a repository - this worked for me on v7.5.0

GH's Scope doc page was helpful - although I do with the repo scope was more restrictive. https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps

As for my args, in case it's helpful:

args:
        - --http-address=0.0.0.0:4180
        - --upstream=file:///dev/null
        - --redirect-url=https://$host/oauth2/callback
        - --provider=github
        - --email-domain=*
        - --github-repo=OrgName/RepoName
        - --code-challenge-method=S256
        - --cookie-secure=true
        - --cookie-refresh=1h
        - --cookie-expire=24h
        - --cookie-name=proxy-cookie-name
        - --auth-logging=true

where $host, OrgName/RepoName, and proxy-cookie-name are filled in with my specific values ($host is my proxy address)

Hopefully this helps 🤞

I'll have to check if we need to add additional logic to add the correct scope for repositories when using the repository restriction flag. If so that is a different issue.