-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Invalid authentication via OAuth2 via Github for the owner of the organisation #2621
Comments
Hi @rockhouse, try to completely remove the scope flag. |
You only use the flags mentioned in your config above? No other settings via environment variables? |
@tuunit Thanks for the hint, but unfortunately does not solve the issue. There are no other settings via env vars. |
One thing changed though I only see: |
@tuunit any other ideas? Also would be nice to get more debugging output to analyse the problem better, any idea how to achieve that? |
I think I've identified the issue. It looks like the email address isn't populating correctly for some users. Specifically, it's this loop here: oauth2-proxy/providers/github.go Line 325 in e058c4d
if the user's primary email address isn't verified, it doesn't return an email address at all which causes this check: Line 924 in e058c4d
to fail. @rockhouse would you be willing to confirm that the user you're seeing this with meets this condition? if not, i'll spin up a new Issue for it. Happy to PR this - just not sure what proper behavior should be - either primary email address or first validated email address I guess? |
Thanks @shepwalker it was indeed the primary mail issue. For some reason my primary mail account on github was "unavailable" after I have reset the mail and made sure I have a primary mail set in my github account profile I could log in again via oauth2. |
@shepwalker if you need anything from me to further analyse the problem let me know otherwise I will close the issue for now. Thank you for your help |
OAuth2-Proxy Version
v.7.6.0
Provider
github
Expected Behaviour
Login should be possible
Current Behaviour
We are trying to upgrade oauth2-proxy from v6.1.1 to the latest v.7.6.0. We are using Github as oauth2 provider.
For some reasons only for one user in the organisation that change does not work. So there are multiple people in the organisation and for one person it shows:
[AuthFailure] Invalid authentication via OAuth2: unauthorised
Unfortunately that is all in terms of error messages. It does find the user in the organisation apparently, as this is also printed to the logs during login:
The scope we extended to include
read:org
based on this #2196 (comment) but did not help.The user is not just part of the organisation but actually the owner so access rights should not be an issue.
Steps To Reproduce
Possible Solutions
No response
Configuration details or additional information
The config we are using:
The text was updated successfully, but these errors were encountered: