Github provider "Invalid Account"

[jehiah]

I'm having trouble trying out oauth2 proxy with the Github provider as well. I'm able to get to the Github login page, log in, and then get redirected to the callback, but then I end up at this page:

The URL looks like:
https://myapp.com/oauth2/callback?code=<some_code>&state=%2Foauth2

Here's my configuration

request_logging = true
client_id = "<client_id>"
client_secret = "<client_secret>"
cookie_secret = "fadlkfjdlkaksfldkasfad"
provider = "github"
upstreams = [
  "http://127.0.0.1:8080/"
]

And logs

2015/06/05 20:28:46 oauthproxy.go:121: Cookie settings: secure (https):true httponly:true expiry:168h0m0s domain:<default>
2015/06/05 20:28:46 main.go:128: listening on 127.0.0.1:4180
2015/06/05 20:29:02 oauthproxy.go:260: http: named cookie not present
104.218.136.246 - - [05/Jun/2015:20:29:02 +0000] ec2-99-6-167-68.compute-1.amazonaws.com GET - "/oauth2" HTTP/1.0 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36" 403 2250 0.001
2015/06/05 20:29:03 oauthproxy.go:260: http: named cookie not present
104.218.136.246 - - [05/Jun/2015:20:29:03 +0000] ec2-99-6-167-68.compute-1.amazonaws.com GET - "/favicon.ico" HTTP/1.0 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36" 403 2255 0.000
104.218.136.246 - - [05/Jun/2015:20:29:04 +0000] ec2-99-6-167-68.compute-1.amazonaws.com GET - "/oauth2/start?rd=%2Foauth2" HTTP/1.0 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36" 302 277 0.000
2015/06/05 20:29:05 validator.go:78: validating: is mightyguava@gmail.com valid? false
2015/06/05 20:29:05 oauthproxy.go:286: ErrorPage 403 Permission Denied Invalid Account
104.218.136.246 - - [05/Jun/2015:20:29:05 +0000] ec2-99-6-167-68.compute-1.amazonaws.com GET - "/oauth2/callback?code=633ec61cad195150d227&state=%2Foauth2" HTTP/1.0 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36" 403 338 0.100
2015/06/05 20:29:05 oauthproxy.go:260: http: named cookie not present
104.218.136.246 - - [05/Jun/2015:20:29:05 +0000] ec2-99-6-167-68.compute-1.amazonaws.com GET - "/favicon.ico" HTTP/1.0 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36" 403 2255 0.000

Don't have the unmarshalling problem from #108.

[mightyguava]

Oh, saw the comment on the other bug. Need to use 'authenticated_emails' file. Got it working after adding one in with my email.

But since github authentication can already restrict to an organization, why is that necessary?

[jehiah]

@mightyguava thanks for commenting here, So i think this is just the conflation of a few documentation things that are confusing (and the fact that github is the only provide that supports role based authentication means that's a little un-documented so far).

Using github org validation doesn't by default allow all email addresses it gets to be considered valid. In addition there isn't a way to wildcard allow all email addresses yet (#91). In addition the option to whitelist a whole domain is currently misleadingly named google-apps-domain instead of email-domain I'll update to clarify that.

If you feel there is something here beyond those please re-open and let me know

[mightyguava]

Thanks for the quick reply.

So if I'm understanding correctly, If I set github-org to my organization, and set google-apps-domain to gmail.com + every other domain my org has primary github emails under, I should be able to authenticate any and all users within my github organization?

When I turned on github-org, it seems like something else broke

2015/06/05 21:33:15 validator.go:78: validating: is valid? false

My email is no longer showing up in the logs here, so I'm assuming that it isn't parsing or getting my email properly.

[mightyguava]

Okay, I think the issue is here https://github.com/bitly/oauth2_proxy/blob/master/providers/github.go#L83

If I specify Org but not Team, the github provider will still try to check against teams. However, if I'm not part of any teams at all, the loop at line 83 never runs, and I fail the check.

I think there should be a check before the loop to return true, nil if github-team is not set.

[mightyguava]

Ah, reading the code more, the problem is more that there's no support to only check a user's organization?

[jehiah]

Thanks for the follow ups. I'll try to reproduce this soon

[jehiah]

@mightyguava I've pushed up a change that should handle the case you have where a user is part of an org but not a team. Can you validate that this works for you?

[mightyguava]

Yup. It is working for me. Thanks!

[jehiah]

Yay! Thanks for the confirmation.

[ajsharp]

Still seeing this issue. To clarify, the desired behavior that I'd like to see, and that I think OP was hoping for, was that, if I specify a github org, that means I'm saying I want all users who have access to that org to have access here, without specifying an email file. I believe this is how the google apps integration works if you specify a domain, right?

[ajsharp]

However, I'm using the latest stable release, not sure if that has the 13e8292