juanfont
[Bug] authURL is empty when using GitHub as an OIDC server
Is this a support request?
- [X] This is not a support request
Is there an existing issue for this?
- [X] I have searched the existing issues
Current Behavior
Headscale redirects to empty authURL
2024-10-03T11:08:53Z DBG Redirecting to ?client_id=123&domain_hint=...
Expected Behavior
Headscale should redirect to "https://github.com/login/oauth/authorize"
Steps To Reproduce
- Create an OAuth app in GitHub developer settings
- Set up Headscale to use GitHub as an OIDC server:
oidc:
only_start_if_oidc_is_available: true
issuer: "https://token.actions.githubusercontent.com"
client_id: "123"
client_secret: "123"
- Try to login
Environment
- OS: Ubuntu 24.04
- Headscale version: 0.23.0
Runtime environment
- [ ] Headscale is behind a (reverse) proxy
- [X] Headscale runs in a container
Anything else?
No response
It seems https://token.actions.githubusercontent.com/.well-known/openid-configuration doesn't contain authorization_endpoint field
I am not sure why they do not provide authorization_endpoint, but I thought that was a part of the OIDC standard requirements (feel free to correct). Some searching dont seem to make me any cleverer.
We do not support non-compliant providers, so if that is the case for Github, I suppose we do not support it.
If someone have more insights on their requirements/quirks, that would be helpful
Using Jenkins OIDC provider here, this is the openid-cofniguration:
{
"issuer": "https://jenkins.example.com/oidc",
"jwks_uri": "https://jenkins.example.com/oidc/jwks",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"authorization_endpoint": "https://unimplemented",
"token_endpoint": "https://unimplemented"
}
Im using this provider with AWS, step-ca and grafana without issues
