From 1be557ac2f6c525b7bc57f930f0659c52aaf7b96 Mon Sep 17 00:00:00 2001
From: Mathias Bogaert <mathias.bogaert@gmail.com>
Date: Wed, 12 Mar 2025 18:26:41 +0000
Subject: [PATCH] [feat] support custom GitHub OAuth2 auth and token URLs

---
 examples/README.md       | 25 +++++++++++++++++++++++++
 pkg/api/authn.go         | 14 +++++++++++++-
 pkg/api/config/config.go |  2 ++
 3 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/examples/README.md b/examples/README.md
index dd82f4b59..7f399e16d 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -362,6 +362,31 @@ In the case of running zot with openid enabled behind a proxy/load balancer http
 ```
 This config value will be used by oauth2/openid clients to redirect back to zot.
 
+### OAuth2 (GitHub) login with custom URL's (GitHub Enterprise)
+
+In the case of running zot with GitHub Enterprise, auth and token URL's should be provided.
+
+```
+  "http": {
+    "address": "0.0.0.0",
+    "port": "8080",
+    "externalUrl: "https://zot.example.com",
+    "auth": {
+      "openid": {
+        "providers": {
+          "github": {
+            "clientid": <client_id>,
+            "clientsecret": <client_secret>,
+            "authurl": <auth_url>,
+            "tokenurl": <token_url>,
+            "scopes": ["read:org", "user", "repo"]
+          }
+        }
+      }
+    }
+  }
+```
+
 ### Session based login
 
 Whenever a user logs in zot using any of the auth options available(basic auth/openid) zot will set a 'session' cookie on its response.
diff --git a/pkg/api/authn.go b/pkg/api/authn.go
index 7435c88e4..99476cbb7 100644
--- a/pkg/api/authn.go
+++ b/pkg/api/authn.go
@@ -587,12 +587,24 @@ func NewRelyingPartyGithub(config *config.Config, provider string, hashKey, encr
 	_, clientID, clientSecret, redirectURI, scopes,
 		options := getRelyingPartyArgs(config, provider, hashKey, encryptKey, log)
 
+	var endpoint oauth2.Endpoint
+
+	// Use custom endpoints if provided, otherwise fallback to GitHub's endpoints
+	if provider := config.HTTP.Auth.OpenID.Providers[provider]; provider.AuthUrl != "" && provider.TokenUrl != "" {
+		endpoint = oauth2.Endpoint{
+			AuthURL:  provider.AuthUrl,
+			TokenURL: provider.TokenUrl,
+		}
+	} else {
+		endpoint = githubOAuth.Endpoint
+	}
+
 	rpConfig := &oauth2.Config{
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		RedirectURL:  redirectURI,
 		Scopes:       scopes,
-		Endpoint:     githubOAuth.Endpoint,
+		Endpoint:     endpoint,
 	}
 
 	relyingParty, err := rp.NewRelyingPartyOAuth(rpConfig, options...)
diff --git a/pkg/api/config/config.go b/pkg/api/config/config.go
index 1fe1b3101..a4984766c 100644
--- a/pkg/api/config/config.go
+++ b/pkg/api/config/config.go
@@ -100,6 +100,8 @@ type OpenIDProviderConfig struct {
 	ClientSecret string
 	KeyPath      string
 	Issuer       string
+	AuthUrl      string
+	TokenUrl     string
 	Scopes       []string
 }