Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Github user with multiple emails + emails file #401

Open
danielunderwood opened this issue Jun 5, 2017 · 7 comments
Open

Github user with multiple emails + emails file #401

danielunderwood opened this issue Jun 5, 2017 · 7 comments

Comments

@danielunderwood
Copy link

I'm using a setup with github auth and authenticated-emails-file to permit users based on email. One of my users has multiple emails on his github account and is denied access even though one of them is in the authenticated emails file. If he removed the email associated with his account that is not in the file, he able to gain access.

Is there a way around this other than putting the users in an organization/team or putting all emails in the file? Is this expected behavior? I looked around and couldn't find too much information in this direction.
@ploxiln
Copy link
Contributor

ploxiln commented Jun 5, 2017

It looks like the permitted email address must be the primary email address for the github account.

https://github.com/bitly/oauth2_proxy/blob/master/providers/github.go#L230

@danielunderwood
Copy link
Author

Ahh I wasn't aware of that. Is that standardized by Oauth or would it be worth looking into adding a config option to auth with non-primary emails?

@ploxiln
Copy link
Contributor

ploxiln commented Jun 9, 2017

No, this is just due to the interface oauth2_proxy requires of the various "providers" (in this codebase). It could theoretically be expanded.

@madmod
Copy link

madmod commented Dec 1, 2017

I would like to have this work with multiple email accounts as most company employees want to keep their personal email address as the primary for their GitHub account.

@jgn
Copy link

jgn commented May 12, 2018

First off, this proxy is a slick piece of work.

I am having the exact same problem with GitHub. I once wrote an auth layer similar to this, and I had to do exactly what @danielunderwood is suggesting: Go through all of the returned emails associated with the person since the permitted domain might not be the primary one. (Also, I am not sure that GitHub has a notion of a "primary" -- the assumption seems to be that they are all equal.)

Here's what I did: https://github.com/jgn/stoor/blob/master/lib/stoor/github_auth.rb#L40

@hardbyte
Copy link

It seems to me that oauth2_proxy should be checking github's verified attribute not the primary attribute. Github won't let a non-verified email be primary. I just added a fake email to github and it turns up in oauth2_proxy along with my other emails:

{"email":"notreal@example.com","primary":false,"verified":false,"visibility":null}

I'd suggest that using verified should be the default behaviour and using primary should be a configuration option.

https://github.com/bitly/oauth2_proxy/blob/master/providers/github.go#L246

@martin-loetzsch
Copy link

Fyi: there is an active discussion about forking this (obviously unmaintained) project here: #628

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jgn @ploxiln @hardbyte @madmod @martin-loetzsch @danielunderwood