[feat] support custom GitHub OAuth2 auth and token URLs

analytically · analytically · commit 1be557ac2f6c · 2025-03-12T18:26:41.000Z
diff --git a/examples/README.md b/examples/README.md
@@ -362,6 +362,31 @@ In the case of running zot with openid enabled behind a proxy/load balancer http
 ```
 This config value will be used by oauth2/openid clients to redirect back to zot.
 
+### OAuth2 (GitHub) login with custom URL's (GitHub Enterprise)
+
+In the case of running zot with GitHub Enterprise, auth and token URL's should be provided.
+
+```
+  "http": {
+    "address": "0.0.0.0",
+    "port": "8080",
+    "externalUrl: "https://zot.example.com",
+    "auth": {
+      "openid": {
+        "providers": {
+          "github": {
+            "clientid": <client_id>,
+            "clientsecret": <client_secret>,
+            "authurl": <auth_url>,
+            "tokenurl": <token_url>,
+            "scopes": ["read:org", "user", "repo"]
+          }
+        }
+      }
+    }
+  }
+```
+
 ### Session based login
 
 Whenever a user logs in zot using any of the auth options available(basic auth/openid) zot will set a 'session' cookie on its response.
diff --git a/pkg/api/authn.go b/pkg/api/authn.go
@@ -587,12 +587,24 @@ func NewRelyingPartyGithub(config *config.Config, provider string, hashKey, encr
 	_, clientID, clientSecret, redirectURI, scopes,
 		options := getRelyingPartyArgs(config, provider, hashKey, encryptKey, log)
 
+	var endpoint oauth2.Endpoint
+
+	// Use custom endpoints if provided, otherwise fallback to GitHub's endpoints
+	if provider := config.HTTP.Auth.OpenID.Providers[provider]; provider.AuthUrl != "" && provider.TokenUrl != "" {
+		endpoint = oauth2.Endpoint{
+			AuthURL:  provider.AuthUrl,
+			TokenURL: provider.TokenUrl,
+		}
+	} else {
+		endpoint = githubOAuth.Endpoint
+	}
+
 	rpConfig := &oauth2.Config{
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		RedirectURL:  redirectURI,
 		Scopes:       scopes,
-		Endpoint:     githubOAuth.Endpoint,
+		Endpoint:     endpoint,
 	}
 
 	relyingParty, err := rp.NewRelyingPartyOAuth(rpConfig, options...)
diff --git a/pkg/api/config/config.go b/pkg/api/config/config.go
@@ -100,6 +100,8 @@ type OpenIDProviderConfig struct {
 	ClientSecret string
 	KeyPath      string
 	Issuer       string
+	AuthUrl      string
+	TokenUrl     string
 	Scopes       []string
 }
 

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,8 @@ type OpenIDProviderConfig struct {`
`100`	`100`	`ClientSecret string`
`101`	`101`	`KeyPath string`
`102`	`102`	`Issuer string`
	`103`	`+ AuthUrl string`
	`104`	`+ TokenUrl string`
`103`	`105`	`Scopes []string`
`104`	`106`	`}`
`105`	`107`