[feat] support custom GitHub OAuth2 auth and token URLs

2025-04-15 03:03:03 -05:00 · 2025-03-12 18:26:41 +00:00 · 2025-03-12 18:26:41 +00:00 · 1be557ac2f
commit 1be557ac2f
parent c87f489a79
3 changed files with 40 additions and 1 deletions
--- a/examples/README.md
+++ b/examples/README.md
@ -362,6 +362,31 @@ In the case of running zot with openid enabled behind a proxy/load balancer http
 ```
 This config value will be used by oauth2/openid clients to redirect back to zot.

+### OAuth2 (GitHub) login with custom URL's (GitHub Enterprise)
+
+In the case of running zot with GitHub Enterprise, auth and token URL's should be provided.
+
+```
+  "http": {
+    "address": "0.0.0.0",
+    "port": "8080",
+    "externalUrl: "https://zot.example.com",
+    "auth": {
+      "openid": {
+        "providers": {
+          "github": {
+            "clientid": <client_id>,
+            "clientsecret": <client_secret>,
+            "authurl": <auth_url>,
+            "tokenurl": <token_url>,
+            "scopes": ["read:org", "user", "repo"]
+          }
+        }
+      }
+    }
+  }
+```
+
 ### Session based login

 Whenever a user logs in zot using any of the auth options available(basic auth/openid) zot will set a 'session' cookie on its response.
--- a/pkg/api/authn.go
+++ b/pkg/api/authn.go
@ -587,12 +587,24 @@ func NewRelyingPartyGithub(config *config.Config, provider string, hashKey, encr
 	_, clientID, clientSecret, redirectURI, scopes,
 		options := getRelyingPartyArgs(config, provider, hashKey, encryptKey, log)

+	var endpoint oauth2.Endpoint
+
+	// Use custom endpoints if provided, otherwise fallback to GitHub's endpoints
+	if provider := config.HTTP.Auth.OpenID.Providers[provider]; provider.AuthUrl != "" && provider.TokenUrl != "" {
+		endpoint = oauth2.Endpoint{
+			AuthURL:  provider.AuthUrl,
+			TokenURL: provider.TokenUrl,
+		}
+	} else {
+		endpoint = githubOAuth.Endpoint
+	}
+
 	rpConfig := &oauth2.Config{
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		RedirectURL:  redirectURI,
 		Scopes:       scopes,
-		Endpoint:     githubOAuth.Endpoint,
+		Endpoint:     endpoint,
 	}

 	relyingParty, err := rp.NewRelyingPartyOAuth(rpConfig, options...)
--- a/pkg/api/config/config.go
+++ b/pkg/api/config/config.go
@ -100,6 +100,8 @@ type OpenIDProviderConfig struct {
 	ClientSecret string
 	KeyPath      string
 	Issuer       string
+	AuthUrl      string
+	TokenUrl     string
 	Scopes       []string
 }