diff --git a/README.md b/README.md index 91f9cfc..8657e4e 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,8 @@ Those are the environment variables that can be used to configure the app: `CONFIG_FILE`: **Optional**. The name of the configuration file. Default to `oidc_entitlements.yml` +`GHES_URL`: **Optional**. The URL of the GitHub Enterprise Server in the form of `https://ghes.example.com`. If not provided, the app will use `https://github.com`. + # Installation ## Create a GitHub App diff --git a/github-oidc-auth-app.go b/github-oidc-auth-app.go index f919a06..a2ab30e 100644 --- a/github-oidc-auth-app.go +++ b/github-oidc-auth-app.go @@ -27,6 +27,7 @@ type GatewayContext struct { appTransport *ghinstallation.AppsTransport configRepo string configFile string + wellKnownURL string } type ScopedTokenRequest struct { @@ -256,7 +257,9 @@ func main() { if err != nil { log.Fatal("Wrong format for APP_ID") } - var configRepo, configFile string + + var configRepo, configFile, wellKnownURL string + if configRepo = os.Getenv("CONFIG_REPO"); configRepo == "" { configRepo = ".github-private" } @@ -269,6 +272,13 @@ func main() { log.Fatal("Failed to initialize GitHub App transport:", err) } + if ghesUrl := os.Getenv("GHES_URL"); ghesUrl != "" { + appTransport.BaseURL = fmt.Sprintf("%s/api/v3", ghesUrl) + wellKnownURL = fmt.Sprintf("%s/_services/token/.well-known/jwks", ghesUrl) + } else { + wellKnownURL = "https://token.actions.githubusercontent.com/.well-known/jwks" + } + fmt.Println("loading installation id cache") err = loadInstallationIdCache(appTransport) if err != nil { @@ -282,6 +292,7 @@ func main() { appTransport: appTransport, configRepo: configRepo, configFile: configFile, + wellKnownURL: wellKnownURL, } server := http.Server{ diff --git a/jwks.go b/jwks.go index d992bfa..5ef2359 100644 --- a/jwks.go +++ b/jwks.go @@ -71,7 +71,7 @@ func validateTokenCameFromGitHub(oidcTokenString string, gc *GatewayContext) (jw now := time.Now() if now.Sub(gc.jwksLastUpdate) > time.Minute || len(gc.jwksCache) == 0 { - resp, err := http.Get("https://token.actions.githubusercontent.com/.well-known/jwks") + resp, err := http.Get(gc.wellKnownURL) if err != nil { fmt.Println(err) return nil, fmt.Errorf("unable to get JWKS configuration")