Skip to content

Add support for GitHub OAuth2 authentication #2901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Add support for GitHub OAuth2 authentication #2901

Copilot wants to merge 4 commits into from
+269 −56

Conversation

Copy link
Contributor

Copilot AI commented Dec 19, 2025
edited
Loading

Pelican assumed OIDC with full discovery support. GitHub implements OAuth2 without OIDC extensions, causing three failure modes: metadata discovery overriding explicit endpoints, ID token parsing crashes, and required OIDC claims (sub, iss) failing authentication.

Changes

Respect explicit endpoint configuration

  • config/oidc_metadata.go: Check IsSet() before overwriting endpoints from discovery metadata
  • Enables manual configuration of OAuth2 endpoints when auto-discovery fails or is unsupported

Handle missing OIDC ID tokens

  • web_ui/oauth2_client.go: Validate ID token is non-empty string before JWT parsing
  • OAuth2 providers don't issue OIDC ID tokens; previous code crashed on empty string

Make OIDC claims optional with fallbacks

  • New params Issuer.OIDCSubjectClaim and Issuer.OIDCIssuerClaim (defaults: sub, iss)
  • Subject: support numeric claims (GitHub user IDs), fallback to username if missing
  • Issuer: fallback to OIDC.Issuer config or authorization endpoint hostname
  • Numeric claim handling uses int64 conversion to avoid float precision loss

Example Configuration

OIDC:
  Issuer: https://github.com
  AuthorizationEndpoint: https://github.com/login/oauth/authorize
  TokenEndpoint: https://github.com/login/oauth/access_token
  UserInfoEndpoint: https://api.github.com/user

Issuer:
  OIDCAuthenticationUserClaim: login  # GitHub uses "login", not "sub"
  OIDCSubjectClaim: id                # GitHub's numeric user ID

See docs/github-oauth-config-example.yaml for complete configuration.

Backward compatible: existing OIDC providers (CILogon, Globus) work unchanged.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • abc123
    • Triggering command: /tmp/go-build857477745/b845/config.test /tmp/go-build857477745/b845/config.test -test.testlogfile=/tmp/go-build857477745/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -ato�� g_.a om/!azure/azure-sdk-for-go/sdk/a-ifaceassert ux_amd64/vet -errorsas /storage/remote/--64 -nilfunc ux_amd64/vet (dns block)
    • Triggering command: /tmp/go-build1685999187/b845/config.test /tmp/go-build1685999187/b845/config.test -test.testlogfile=/tmp/go-build1685999187/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -p pkg/mod/go.mongodb.org/[email protected]/bson-p pkg/mod/go.mongodb.org/[email protected]/bsonmain ux_amd64/compile -I /tmp/go-build202--64 -I ux_amd64/compile/tmp/ccGGdC8B.o (dns block)
  • cilogon.org
    • Triggering command: /tmp/go-build2144026736/b001/config.test /tmp/go-build2144026736/b001/config.test -test.testlogfile=/tmp/go-build2144026736/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.run=TestGetMetadataRespectsExplicitEndpoints --local ux_amd64/compile credential.helpe/opt/hostedtoolcache/go/1.24.11/x64/pkg/tool/linux_amd64/vet (dns block)
    • Triggering command: /tmp/go-build857477745/b845/config.test /tmp/go-build857477745/b845/config.test -test.testlogfile=/tmp/go-build857477745/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -ato�� g_.a om/!azure/azure-sdk-for-go/sdk/a-ifaceassert ux_amd64/vet -errorsas /storage/remote/--64 -nilfunc ux_amd64/vet (dns block)
    • Triggering command: /tmp/go-build1685999187/b845/config.test /tmp/go-build1685999187/b845/config.test -test.testlogfile=/tmp/go-build1685999187/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -p pkg/mod/go.mongodb.org/[email protected]/bson-p pkg/mod/go.mongodb.org/[email protected]/bsonmain ux_amd64/compile -I /tmp/go-build202--64 -I ux_amd64/compile/tmp/ccGGdC8B.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Add support for authenticating via GitHub</issue_title>
<issue_description>## Summary

Currently, a Pelican service can (in theory) use any identity provider that implements OIDC to authenticate users. Unfortunately, the GitHub identity provider implements only OAuth2, and there seems to be no way of using Pelican's current configuration knobs to make it authenticate users via GitHub. Which is to say, there are several bugs and assumptions in Pelican that need to be addressed in order to use GitHub as an identity provider.

For reference, when attempting to set this up: Documentation for GitHub's OAuth2 and related API endpoints.

Details

Bug: OIDC.Issuer overrides explicitly set OIDC endpoints

Given the following configuration

OIDC:                                                                           
  AuthorizationEndpoint: https://github.com/login/oauth/authorize               
  DeviceAuthEndpoint: https://github.com/login/device/code                      
  TokenEndpoint: https://github.com/login/oauth/access_token                    
  UserInfoEndpoint: https://api.github.com/user

the default value of https://cilogon.org for OIDC.Issuer overrides OIDC.AuthorizationEndpoint via what I assume is CILogon's metadata document at https://cilogon.org/.well-known/openid-configuration. I must explicitly set

OIDC:
  Issuer: null

in order for the explicitly set endpoints to be respected — which strikes me as odd and unnecessary (why is Pelican trying to look up a value I already gave it?).

Bug: Bad check for missing OIDC ID token

The next bug is that the auth process crashes out trying to parse an ID token that does not actually exist:

pelican/web_ui/oauth2_client.go

Line 390 in 816a58e

if idTokenRaw := token.Extra("id_token"); idTokenRaw != nil {

When the token does not contain the id_token field, .Extra is seemingly returning an empty string (""). We need to add a check for that.

Unfortunate assumption: The user info endpoint returns a sub claim

Following that, even if we configure the "user" claim to something reasonable for GitHub

Issuer:
  OIDCAuthenticationUserClaim: login

we still end up crashing out of the auth process because Pelican assumes that the user info endpoint is OIDC-compliant and responds with a sub claim:

pelican/web_ui/oauth2_client.go

Lines 231 to 236 in 816a58e

subIface, ok := claimsSource["sub"]
if !ok {
log.Errorln("User info endpoint did not return a value for the sub claim")
err = errors.New("identity provider did not return a subject for logged-in user")
return
}

Another unfortunate assumption: The user info endpoint returns "groups"

In the case of GitHub, we actually need to query another API endpoint and parse the response to get something resembling "group memberships."

Other remarks

GitHub does have an OIDC provider, but it is aimed at authenticating workflow actions. For example, the issuer's metadata includes no endpoints.</issue_description>

<agent_instructions>Please try to address as many of these concerns as possible. It appears one problem is that the code assumes OIDC with full discovery while GitHub might only do OAuth2 (or perhaps it assumes some shortcuts for OIDC such as tokens that are JWT!).

Review GitHub documentation to try and determine any other potential problems. The reporter is not a developer so we'll need to give them a fairly good approach. Include regression tests for the items they identified.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI self-assigned this Dec 19, 2025
Copilot AI and others added 3 commits December 19, 2025 21:08
@bbockelm
Add GitHub OAuth2 authentication support
909e132 
- Fix OIDC.Issuer from overriding explicitly set endpoints
- Handle missing ID token gracefully (check for empty string)
- Make sub claim configurable and optional (fallback to username)
- Make issuer claim configurable and optional (fallback to OIDC.Issuer)
- Support numeric subject claims (like GitHub's user ID)
- Add configuration parameters Issuer.OIDCSubjectClaim and Issuer.OIDCIssuerClaim
- Add tests for endpoint override behavior

Co-authored-by: bbockelm <[email protected]>
@bbockelm
Remove placeholder tests and add GitHub OAuth2 config example
9c102bb 
- Remove tests that require database setup
- Add comprehensive GitHub OAuth2 configuration example
- Update OIDC.Issuer parameter description with GitHub notes
- All tests passing and build successful

Co-authored-by: bbockelm <[email protected]>
@bbockelm
Address code review feedback
58b1eb3 
- Use int64 conversion for numeric IDs to avoid floating-point precision issues
- Use url.URL struct for proper URL construction instead of string concatenation
- Add comments explaining sync.Once reset in tests
- All tests passing and build successful

Co-authored-by: bbockelm <[email protected]>
Copilot AI changed the title [WIP] Add support for authenticating via GitHub Add support for GitHub OAuth2 authentication Dec 19, 2025
Copilot AI requested a review from bbockelm December 19, 2025 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bbockelm bbockelm Awaiting requested review from bbockelm

At least 1 approving review is required to merge this pull request.

Assignees

@bbockelm bbockelm

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for authenticating via GitHub

2 participants

@bbockelm