New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Add GitHub groups (orgs/teams) support #2196
Feature: Add GitHub groups (orgs/teams) support #2196
Conversation
f87a1a7
to
a9c31a5
Compare
@JoelSpeed new PR for #1928 @hoax I would highly appreciate a code review from your side and especially check that I didn't miss anything when rebasing our commits. |
@tuunit, looks good, but did not test it yet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reminder to myself: Rebase and fix merge conflicts
50fbfab
to
e09b152
Compare
@kvanzuijlen can you give this a review? :) |
e09b152
to
6dbbf1b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
7c5248a
to
8d2c360
Compare
0599724
to
dbe7a0c
Compare
…er instances with different domain
* add nightly build and push * add date based nightly build tags * only keep single multiarch image build and push * add changelog * add images to internal docs static files * add docu for nightly builds * remove unnecessary spaces * update nightly repository
…oxy#1949) * Issue 978: Fix Custom cookie name breaks redis for session (see oauth2-proxy#978) * Issue 978: Fix Custom cookie name breaks redis for session (see oauth2-proxy#978) * Update CHANGELOG.md * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Issue 978: Fix Custom cookie name breaks redis for session * Update CHANGELOG.md --------- Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Support http.AllowQuerySemicolons * Docs * Make it clear we are overriding the handler * Update documentation for allow-query-semicolons * Fix changelog format * Fix formatting --------- Co-authored-by: MickMake <github@mickmake.com>
…er instances with different domain
dbe7a0c
to
8a2d360
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this implemented in a backwards compatible way?
Nope, it blew away our production. |
I've tested it with 3 different scenarios and another user tested the feature branch as well so I'm a bit lost what happened on your end. Can you please share your config and which errors you encountered? |
Hi,
Error was:
|
I had the same problem. It's a breaking change if/when a user specified the scope. For example, I was using this flag |
@etho201 thanks for sharing. Indeed that is the issue we will update it in the CHANGELOG and I'll talk to @JoelSpeed if we can get a bugfix released. |
@etho201 @jacek-jablonski |
No problem at all. Thanks for the great work 🙂 |
Motivation and Context
GitHub's hierarchy is structured by organization and teams. As of now, in version 7.4.0 this hierarchy can only be used for restricting access but the details about a users membership are not passed through to the underlying applications behind the oauth2-proxy. Therefore this PRs aim is to extend the GitHub provider with the functionality to expose the users membership. As the session storage already provides the functionality to store "groups" and forward them as headers, this is a valid feature / extension and in line with other providers.
Description of the implementation details
I refactored the GitHub provider quite extensively. To ensure backwards compatibility all the restrictions and checks are done as before. The only logical change is that instead of just fetching the org and team information when an organisation or team restriction is set, the membership information is always fetched from GitHub and added to the sessions group storage.
How Has This Been Tested?
All existing GitHub tests have been corrected to accommodate the new code structure. Manual testing has been done and I already use this version of the implementation in a production environment.
Checklist: