OIDC with Github

[Alex-Giaquinto]

Not sure if this is the right place for this, but does anyone have a working example of how to set up OIDC authentication with Github? I saw that it is working on the demo provided in the README, but having trouble getting it up on my end. I just upgraded to version 2.9.37, the button appears when I add the OIDC config to the config.js according to the documentation. But when I click the button the page just basically refreshes and I am back on the login screen. If anyone has an idea it would be super helpful!!! Thank you!

[hmoffatt]

Have you configured Semaphore to use a path in the web root by any chance? ie xyz.com/semaphore instead of just xyz.com?

[Alex-Giaquinto]

@hmoffatt I don't believe so. Is there any specific snippet of the config you would like to see? Maybe can help lead you in the right direction?

[hmoffatt]

I only asked because I noticed that OpenID Connect login is broken when you use a path component. I fixed this in #1572

I have not tried using OIDC with GitHub so I don't think I can offer any help otherwise.

[fiftin]

Yes, I have:

        "oidc_providers": {

                "github": {
                        "icon": "github",
                        "display_name": "Sign in with GitHub",
                        "client_id": "***",
                        "client_secret": "***",
                        "redirect_url": "https://cloud.ansible-semaphore.com/api/auth/oidc/github/redirect",
                        "endpoint": {
                                "auth": "https://github.com/login/oauth/authorize",
                                "token": "https://github.com/login/oauth/access_token",
                                "userinfo": "https://api.github.com/user"
                        },
                        "scopes": ["read:user", "user:email"]
                },

        }

[Alex-Giaquinto]

@fiftin I am getting this error
level=error msg="oauth2: server response missing access_token
But my config looks exactly like yours (expect with my correct client id/secret and redirect_url of course)

[Alex-Giaquinto]

@fiftin I was finally able to almost get it working. Finally when I clicked the Github button it brought me to Github to approve the authentication. Once I approved it I got a 502 error and found this in the semaphore logs
runtime error: index out of range [0] with length 0

[Alex-Giaquinto]

@fiftin Just bumping this back up when you get the chance to take a look. Thanks!

[Alex-Giaquinto]

@fiftin Just trying to bump this again, still not working not sure what else to do.

[fiftin]

Fixed in develop branch. Will be soon in release.

[tboerger]

I ran into the same issue as @Alex-Giaquinto and have only been able to properly register/authenticate via GitHub after changing the claim reading behavior which you can see at #1720. After this change I'm able to login, get a right Username and "just" a wrong mail address as GitHub doesn't respond with any mail address at all. That's why I have added the [email protected] addres as a fallback.

Edit: Without the PR I was getting this while logging in from GitHub:

2024/01/29 13:31:04 http: panic serving [::1]:34058: runtime error: index out of range [0] with length 0
goroutine 11 [running]:
net/http.(*conn).serve.func1()
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:1868 +0xb9
panic({0xb8fc00?, 0xc0024a7470?})
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/runtime/panic.go:920 +0x270
github.com/ansible-semaphore/semaphore/api.getProfileNameFromEmail({0x0?, 0xc000090030?})
        /home/thomas/Developer/misc/semaphore/api/login.go:428 +0x1c5
github.com/ansible-semaphore/semaphore/api.oidcRedirect({0x230afa0, 0xc0002c8000}, 0xc0001a4300)
        /home/thomas/Developer/misc/semaphore/api/login.go:524 +0xbe5
net/http.HandlerFunc.ServeHTTP(0xb79c20?, {0x230afa0?, 0xc0002c8000?}, 0xc?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2136 +0x29
github.com/ansible-semaphore/semaphore/api.JSONMiddleware.func1({0x230afa0, 0xc0002c8000}, 0x0?)
        /home/thomas/Developer/misc/semaphore/api/router.go:37 +0xf0
net/http.HandlerFunc.ServeHTTP(0x0?, {0x230afa0?, 0xc0002c8000?}, 0xc00057f620?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2136 +0x29
github.com/ansible-semaphore/semaphore/api.StoreMiddleware.func1.1()
        /home/thomas/Developer/misc/semaphore/api/router.go:28 +0x28
github.com/ansible-semaphore/semaphore/db.StoreSession({0x2316f08, 0xc0001d9b00}, {0xc0002c4100, 0xc}, 0xc00057f7b0)
        /home/thomas/Developer/misc/semaphore/db/Store.go:354 +0x5f
github.com/ansible-semaphore/semaphore/api.StoreMiddleware.func1({0x230afa0, 0xc0002c8000}, 0xc0001a4300)
        /home/thomas/Developer/misc/semaphore/api/router.go:27 +0xec
net/http.HandlerFunc.ServeHTTP(0xc0001a4300?, {0x230afa0?, 0xc0002c8000?}, 0xb784e0?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2136 +0x29
github.com/ansible-semaphore/semaphore/cli/cmd.runService.func1.1({0x230afa0, 0xc0002c8000}, 0xc00057f860?)
        /home/thomas/Developer/misc/semaphore/cli/cmd/root.go:74 +0xea
net/http.HandlerFunc.ServeHTTP(0xc000100000?, {0x230afa0?, 0xc0002c8000?}, 0xc00057f8e0?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2136 +0x29
github.com/ansible-semaphore/semaphore/api.Route.CORSMethodMiddleware.func1.1({0x230afa0, 0xc0002c8000}, 0xc0002b2120?)
        /home/thomas/Developer/misc/semaphore/vendor/github.com/gorilla/mux/middleware.go:51 +0x88
net/http.HandlerFunc.ServeHTTP(0xc0001a4200?, {0x230afa0?, 0xc0002c8000?}, 0xbc3620?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2136 +0x29
github.com/gorilla/mux.(*Router).ServeHTTP(0xc000000000, {0x230afa0, 0xc0002c8000}, 0xc0001a4000)
        /home/thomas/Developer/misc/semaphore/vendor/github.com/gorilla/mux/mux.go:212 +0x1fa
github.com/ansible-semaphore/semaphore/cli/cmd.runService.ProxyHeaders.func2({0x230afa0, 0xc0002c8000}, 0xc0001a4000)
        /home/thomas/Developer/misc/semaphore/vendor/github.com/gorilla/handlers/proxy_headers.go:59 +0x143
net/http.HandlerFunc.ServeHTTP(0xc0002b4004?, {0x230afa0?, 0xc0002c8000?}, 0x444000?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2136 +0x29
github.com/ansible-semaphore/semaphore/cli/cmd.runService.cropTrailingSlashMiddleware.func3({0x230afa0, 0xc0002c8000}, 0xc0001a4000)
        /home/thomas/Developer/misc/semaphore/cli/cmd/server.go:27 +0xbd
net/http.HandlerFunc.ServeHTTP(0x27d45c0?, {0x230afa0?, 0xc0002c8000?}, 0xc00057fb50?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2136 +0x29
net/http.serverHandler.ServeHTTP({0xc000551020?}, {0x230afa0?, 0xc0002c8000?}, 0x6?)
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2938 +0x8e
net/http.(*conn).serve(0xc00052efc0, {0x230cc08, 0xc000550f30})
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:2009 +0x5f4
created by net/http.(*Server).Serve in goroutine 1
        /nix/store/y7abhs9glxfcg7lgcdc8i4ml5wg5ly92-go-1.21.4/share/go/src/net/http/server.go:3086 +0x5cb
ERRO[0003] oauth2: server response missing access_token

[tboerger]

With the latest version the GitHub authentication should be fixed :)

[Alex-Giaquinto]

@tboerger still getting a 502. I am going to supply everything I can hopefully you can help! Upgraded to v2.9.45.

Config

"oidc_providers": {
"github": {
"icon": "github",
"display_name": "Sign in with GitHub",
"client_id": "xxxx",
"client_secret": "xxxx",
"redirect_url": "https://semaphore.xxx.com/api/auth/oidc/github/redirect",
"endpoint": {
"auth": "https://github.com/login/oauth/authorize",
"token": "https://github.com/login/oauth/access_token",
"userinfo": "https://api.github.com/user"
},
"scopes": ["read:user", "user:email"]
}
},

Github OAuth Settings
HomePage URL: https://semaphore.xxx.com
Authorization callback URL: https://semaphore.xxx.com/api/auth/oidc/github/redirect

Would love to stop working on this, so if you find anything. Please call it out!

[tboerger]

Sorry, I have missed that it requires a new release. The fix is in the develop branch...

[Alex-Giaquinto]

@tboerger this is still my current configuration using the latest beta release, but still no luck. You can see my error below.

[fiftin]

Please try new BETA version: https://github.com/ansible-semaphore/semaphore/releases/tag/v2.9.46-beta

[Alex-Giaquinto]

@fiftin Hey, just wanted to reach out again. Please see my latest comment. Gave it a try but still no luck.

[tboerger]

The cloud version of semaphore shows that github authentication works, looks like your config is missing something.

[Alex-Giaquinto]

@fiftin @tboerger is this available on v2.9.48-beta. I originally installed with package manager option and was not sure if switching to binary for the upgrade would break anything so I am currently using this version instead of v2.9.46-beta. Would that be the reason this is not working?

[Alex-Giaquinto]

@tboerger @fiftin so I gave that version a try. I am now receiving this error.

level=error msg="claim 'email' missing from id_token or not a string"

Do I need to change my config at all?

[Alex-Giaquinto]

@tboerger are there any permissions sets you can mess around with when you create an Oauth app on github? I don't believe there is?

[tboerger]

Just to make sure, I have created on my personal account on developer setting an OAuth application with settings like this and it simply works with the config from above:

[Alex-Giaquinto]

@tboerger we have the exact same thing! Maybe my install is just broken. I don't think this could be related to nginx or the db right?

[Alex-Giaquinto]

Yeah something very fishy is going on here. Just spun up a brand new instance tried a brand new Oauth app and the exact same thing is happening. So now I am starting to think this is not an error on my end. @tboerger

[abeastmal]

I'm seeing a similar error

time="2024-04-05T10:41:58Z" level=error msg="claim 'email' missing or has bad format"