oauth2_proxy icon indicating copy to clipboard operation
oauth2_proxy copied to clipboard

Published 20 hours ago verified publisher icon bitly

Github user with multiple emails + emails file

Open danielunderwood opened this issue 7 years ago • 7 comments

I'm using a setup with github auth and authenticated-emails-file to permit users based on email. One of my users has multiple emails on his github account and is denied access even though one of them is in the authenticated emails file. If he removed the email associated with his account that is not in the file, he able to gain access.

Is there a way around this other than putting the users in an organization/team or putting all emails in the file? Is this expected behavior? I looked around and couldn't find too much information in this direction.

danielunderwood avatar Jun 05 '17 04:06 danielunderwood

It looks like the permitted email address must be the primary email address for the github account.

https://github.com/bitly/oauth2_proxy/blob/master/providers/github.go#L230

ploxiln avatar Jun 05 '17 05:06 ploxiln

Ahh I wasn't aware of that. Is that standardized by Oauth or would it be worth looking into adding a config option to auth with non-primary emails?

danielunderwood avatar Jun 08 '17 22:06 danielunderwood

No, this is just due to the interface oauth2_proxy requires of the various "providers" (in this codebase). It could theoretically be expanded.

ploxiln avatar Jun 09 '17 02:06 ploxiln

I would like to have this work with multiple email accounts as most company employees want to keep their personal email address as the primary for their GitHub account.

madmod avatar Dec 01 '17 17:12 madmod

First off, this proxy is a slick piece of work.

I am having the exact same problem with GitHub. I once wrote an auth layer similar to this, and I had to do exactly what @danielunderwood is suggesting: Go through all of the returned emails associated with the person since the permitted domain might not be the primary one. (Also, I am not sure that GitHub has a notion of a "primary" -- the assumption seems to be that they are all equal.)

Here's what I did: https://github.com/jgn/stoor/blob/master/lib/stoor/github_auth.rb#L40

jgn avatar May 12 '18 20:05 jgn

It seems to me that oauth2_proxy should be checking github's verified attribute not the primary attribute. Github won't let a non-verified email be primary. I just added a fake email to github and it turns up in oauth2_proxy along with my other emails:

{"email":"[email protected]","primary":false,"verified":false,"visibility":null}

I'd suggest that using verified should be the default behaviour and using primary should be a configuration option.

https://github.com/bitly/oauth2_proxy/blob/master/providers/github.go#L246

hardbyte avatar Aug 17 '18 23:08 hardbyte

Fyi: there is an active discussion about forking this (obviously unmaintained) project here: #628

martin-loetzsch avatar Dec 06 '18 22:12 martin-loetzsch