lovasoa
SSO: Add support for OAuth2 providers that do not support oidc
𧩠Problem
I tried configuring GitHub authentication using the following in my sqlpage.json:
{
"oidc_issuer_url": "https://github.com",
"oidc_client_id": "<my-client-id>",
"oidc_client_secret": "<my-client-secret>",
"host": "localhost:8080"
}
However, SQLPage fails to start with the following error:
Failed to discover OIDC provider metadata
Caused by:
Server returned invalid response: HTTP status code 404 Not Found at https://github.com/.well-known/openid-configuration
This happens because GitHub is not a full OpenID Connect (OIDC) provider β it supports OAuth 2.0, but does not expose .well-known/openid-configuration, nor does it provide an id_token.
π Expected Behavior
Given that GitHub is listed in the SQLPage OIDC documentation, it would be great if SQLPage could support OAuth2-only providers like GitHub, either by:
-
Allowing manual configuration of:
authorization_endpointtoken_endpointuserinfo_endpointscopes
-
Disabling
.well-knowndiscovery for non-OIDC providers
This way, SQLPage could support a broader range of providers, such as GitHub, Discord, Slack, etc.
π‘ Suggested Workaround
Until then, developers must proxy GitHub through a full OIDC layer (e.g. Auth0, Keycloak, or Authentik) in order to integrate GitHub login with SQLPage.
π References
- GitHub OAuth Docs: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
- Fails at:
https://github.com/.well-known/openid-configuration(404) - Example working provider:
https://accounts.google.com/.well-known/openid-configuration
β Request
Please add support for manual OIDC configuration (without issuer discovery), or clarify the limitations of GitHub auth in the documentation.
Thank you for the detailed and well-written report ! Would you be interested in implementing this yourself ?
Actually, reading the above again, it looks like it was generated by an LLM, wasn't it ? The link to https://sql-page.com/docs/authentication/ seems to have been hallucinated.
The oidc issuer url for github seems to be https://github.com/login/oauth/ , and the oidc config is at https://github.com/login/oauth/.well-known/openid-configuration . However it does not contain the required endpoint URLs
https://github.com/login/oauth/
You're right β thanks for the correction.
@lovasoa I admit the original issue description was generated with the help of an LLM, and in hindsight, the reference to GitHub as an OIDC provider was inaccurate. I also tried the following config (pointing to https://github.com/login/oauth as the issuer):
{
"oidc_issuer_url": "https://github.com/login/oauth",
"oidc_client_id": "<my-client-id>",
"oidc_client_secret": "<my-client-secret>",
"host": "localhost:8080"
}
But SQLPage fails with:
[ERROR sqlpage] Failed to discover OIDC provider metadata
Caused by:
0: Failed to parse server response
1: missing field `authorization_endpoint` at line 1 column 319
@lovasoa, I have double-checked the GitHub discovery document.
After inspecting GitHub openid-configuration, I can confirm that it does not contain required fields like:
- authorization_endpoint
- token_endpoint
These are present in OIDC-compliant providers like Google:
Because GitHubβs discovery document is incomplete, SQLPage fails with:
[ERROR sqlpage] Failed to discover OIDC provider metadata
Caused by:
0: Failed to parse server response
1: missing field `authorization_endpoint` at line 1 column 319
So currently, GitHub's discovery endpoint is not suitable for direct OIDC usage in SQLPage.