Skip to content

[feat] support custom GitHub OAuth2 auth and token URLs #3024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[feat] support custom GitHub OAuth2 auth and token URLs #3024

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions examples/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,31 @@ In the case of running zot with openid enabled behind a proxy/load balancer http
```
This config value will be used by oauth2/openid clients to redirect back to zot.

### OAuth2 (GitHub) login with custom URL's (GitHub Enterprise)

In the case of running zot with GitHub Enterprise, auth and token URL's should be provided.

```
"http": {
"address": "0.0.0.0",
"port": "8080",
"externalUrl: "https://zot.example.com",
"auth": {
"openid": {
"providers": {
"github": {
"clientid": <client_id>,
"clientsecret": <client_secret>,
"authurl": <auth_url>,
"tokenurl": <token_url>,
"scopes": ["read:org", "user", "repo"]
}
}
}
}
}
```

### Session based login

Whenever a user logs in zot using any of the auth options available(basic auth/openid) zot will set a 'session' cookie on its response.
Expand Down
14 changes: 13 additions & 1 deletion pkg/api/authn.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -587,12 +587,24 @@ func NewRelyingPartyGithub(config *config.Config, provider string, hashKey, encr
_, clientID, clientSecret, redirectURI, scopes,
options := getRelyingPartyArgs(config, provider, hashKey, encryptKey, log)

var endpoint oauth2.Endpoint

// Use custom endpoints if provided, otherwise fallback to GitHub's endpoints
if provider := config.HTTP.Auth.OpenID.Providers[provider]; provider.AuthUrl != "" && provider.TokenUrl != "" {
endpoint = oauth2.Endpoint{
AuthURL: provider.AuthUrl,
TokenURL: provider.TokenUrl,
}
} else {
endpoint = githubOAuth.Endpoint
}

rpConfig := &oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: redirectURI,
Scopes: scopes,
Endpoint: githubOAuth.Endpoint,
Endpoint: endpoint,
}

relyingParty, err := rp.NewRelyingPartyOAuth(rpConfig, options...)
Expand Down
2 changes: 2 additions & 0 deletions pkg/api/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@
ClientSecret string
KeyPath string
Issuer string
AuthUrl string

Check failure on line 103 in pkg/api/config/config.go

View workflow job for this annotation

GitHub Actions / lint 

ST1003: struct field AuthUrl should be AuthURL (stylecheck)
TokenUrl string

Check failure on line 104 in pkg/api/config/config.go

View workflow job for this annotation

GitHub Actions / lint 

ST1003: struct field TokenUrl should be TokenURL (stylecheck)
Scopes []string
}

Expand Down
Loading