Skip to content

Add support for GitHub OAuth2 authentication #2901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
h2zh merged 8 commits into from
Jan 12, 2026
Merged

Add support for GitHub OAuth2 authentication #2901

h2zh merged 8 commits into from
Jan 12, 2026

Conversation

Copy link
Contributor

Copilot AI commented Dec 19, 2025
edited
Loading

Pelican assumed OIDC with full discovery support. GitHub implements OAuth2 without OIDC extensions, causing three failure modes: metadata discovery overriding explicit endpoints, ID token parsing crashes, and required OIDC claims (sub, iss) failing authentication.

Changes

Respect explicit endpoint configuration

  • config/oidc_metadata.go: Check IsSet() before overwriting endpoints from discovery metadata
  • Enables manual configuration of OAuth2 endpoints when auto-discovery fails or is unsupported

Handle missing OIDC ID tokens

  • web_ui/oauth2_client.go: Validate ID token is non-empty string before JWT parsing
  • OAuth2 providers don't issue OIDC ID tokens; previous code crashed on empty string

Make OIDC claims optional with fallbacks

  • New params Issuer.OIDCSubjectClaim and Issuer.OIDCIssuerClaim (defaults: sub, iss)
  • Subject: support numeric claims (GitHub user IDs), fallback to username if missing
  • Issuer: fallback to OIDC.Issuer config or authorization endpoint hostname
  • Numeric claim handling uses int64 conversion to avoid float precision loss

Example Configuration

OIDC:
  Issuer: https://github.com
  AuthorizationEndpoint: https://github.com/login/oauth/authorize
  TokenEndpoint: https://github.com/login/oauth/access_token
  UserInfoEndpoint: https://api.github.com/user

Issuer:
  OIDCAuthenticationUserClaim: login  # GitHub uses "login", not "sub"
  OIDCSubjectClaim: id                # GitHub's numeric user ID

See docs/github-oauth-config-example.yaml for complete configuration.

Backward compatible: existing OIDC providers (CILogon, Globus) work unchanged.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • abc123
    • Triggering command: /tmp/go-build857477745/b845/config.test /tmp/go-build857477745/b845/config.test -test.testlogfile=/tmp/go-build857477745/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -ato�� g_.a om/!azure/azure-sdk-for-go/sdk/a-ifaceassert ux_amd64/vet -errorsas /storage/remote/--64 -nilfunc ux_amd64/vet (dns block)
    • Triggering command: /tmp/go-build1685999187/b845/config.test /tmp/go-build1685999187/b845/config.test -test.testlogfile=/tmp/go-build1685999187/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -p pkg/mod/go.mongodb.org/[email protected]/bson-p pkg/mod/go.mongodb.org/[email protected]/bsonmain ux_amd64/compile -I /tmp/go-build202--64 -I ux_amd64/compile/tmp/ccGGdC8B.o (dns block)
  • cilogon.org
    • Triggering command: /tmp/go-build2144026736/b001/config.test /tmp/go-build2144026736/b001/config.test -test.testlogfile=/tmp/go-build2144026736/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true -test.run=TestGetMetadataRespectsExplicitEndpoints --local ux_amd64/compile credential.helpe/opt/hostedtoolcache/go/1.24.11/x64/pkg/tool/linux_amd64/vet (dns block)
    • Triggering command: /tmp/go-build857477745/b845/config.test /tmp/go-build857477745/b845/config.test -test.testlogfile=/tmp/go-build857477745/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -ato�� g_.a om/!azure/azure-sdk-for-go/sdk/a-ifaceassert ux_amd64/vet -errorsas /storage/remote/--64 -nilfunc ux_amd64/vet (dns block)
    • Triggering command: /tmp/go-build1685999187/b845/config.test /tmp/go-build1685999187/b845/config.test -test.testlogfile=/tmp/go-build1685999187/b845/testlog.txt -test.paniconexit0 -test.timeout=10m0s -m64 -mtune=generic -march=x86-64 -fasynchronous-unwind-tables -fstack-protector-strong -Wformat -Wformat-security -fstack-clash-protection -p pkg/mod/go.mongodb.org/[email protected]/bson-p pkg/mod/go.mongodb.org/[email protected]/bsonmain ux_amd64/compile -I /tmp/go-build202--64 -I ux_amd64/compile/tmp/ccGGdC8B.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Add support for authenticating via GitHub</issue_title>
<issue_description>## Summary

Currently, a Pelican service can (in theory) use any identity provider that implements OIDC to authenticate users. Unfortunately, the GitHub identity provider implements only OAuth2, and there seems to be no way of using Pelican's current configuration knobs to make it authenticate users via GitHub. Which is to say, there are several bugs and assumptions in Pelican that need to be addressed in order to use GitHub as an identity provider.

For reference, when attempting to set this up: Documentation for GitHub's OAuth2 and related API endpoints.

Details

Bug: OIDC.Issuer overrides explicitly set OIDC endpoints

Given the following configuration

OIDC:                                                                           
  AuthorizationEndpoint: https://github.com/login/oauth/authorize               
  DeviceAuthEndpoint: https://github.com/login/device/code                      
  TokenEndpoint: https://github.com/login/oauth/access_token                    
  UserInfoEndpoint: https://api.github.com/user

the default value of https://cilogon.org for OIDC.Issuer overrides OIDC.AuthorizationEndpoint via what I assume is CILogon's metadata document at https://cilogon.org/.well-known/openid-configuration. I must explicitly set

OIDC:
  Issuer: null

in order for the explicitly set endpoints to be respected — which strikes me as odd and unnecessary (why is Pelican trying to look up a value I already gave it?).

Bug: Bad check for missing OIDC ID token

The next bug is that the auth process crashes out trying to parse an ID token that does not actually exist:

pelican/web_ui/oauth2_client.go

Line 390 in 816a58e

if idTokenRaw := token.Extra("id_token"); idTokenRaw != nil {

When the token does not contain the id_token field, .Extra is seemingly returning an empty string (""). We need to add a check for that.

Unfortunate assumption: The user info endpoint returns a sub claim

Following that, even if we configure the "user" claim to something reasonable for GitHub

Issuer:
  OIDCAuthenticationUserClaim: login

we still end up crashing out of the auth process because Pelican assumes that the user info endpoint is OIDC-compliant and responds with a sub claim:

pelican/web_ui/oauth2_client.go

Lines 231 to 236 in 816a58e

subIface, ok := claimsSource["sub"]
if !ok {
log.Errorln("User info endpoint did not return a value for the sub claim")
err = errors.New("identity provider did not return a subject for logged-in user")
return
}

Another unfortunate assumption: The user info endpoint returns "groups"

In the case of GitHub, we actually need to query another API endpoint and parse the response to get something resembling "group memberships."

Other remarks

GitHub does have an OIDC provider, but it is aimed at authenticating workflow actions. For example, the issuer's metadata includes no endpoints.</issue_description>

<agent_instructions>Please try to address as many of these concerns as possible. It appears one problem is that the code assumes OIDC with full discovery while GitHub might only do OAuth2 (or perhaps it assumes some shortcuts for OIDC such as tokens that are JWT!).

Review GitHub documentation to try and determine any other potential problems. The reporter is not a developer so we'll need to give them a fairly good approach. Include regression tests for the items they identified.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Add support for authenticating via GitHub Add support for GitHub OAuth2 authentication Dec 19, 2025
Copilot AI requested a review from bbockelm December 19, 2025 21:16
@bbockelm bbockelm requested a review from h2zh December 30, 2025 15:16
@h2zh h2zh added this to the v7.23 milestone Dec 30, 2025
@h2zh h2zh self-assigned this Dec 30, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2026
View reviewed changes
Copilot AI and others added 7 commits January 12, 2026 06:32
@h2zh
Initial plan
9385c4c
@bbockelm @h2zh
Add GitHub OAuth2 authentication support
e47c1bc 
- Fix OIDC.Issuer from overriding explicitly set endpoints
- Handle missing ID token gracefully (check for empty string)
- Make sub claim configurable and optional (fallback to username)
- Make issuer claim configurable and optional (fallback to OIDC.Issuer)
- Support numeric subject claims (like GitHub's user ID)
- Add configuration parameters Issuer.OIDCSubjectClaim and Issuer.OIDCIssuerClaim
- Add tests for endpoint override behavior

Co-authored-by: bbockelm <[email protected]>
@bbockelm @h2zh
Remove placeholder tests and add GitHub OAuth2 config example
4129364 
- Remove tests that require database setup
- Add comprehensive GitHub OAuth2 configuration example
- Update OIDC.Issuer parameter description with GitHub notes
- All tests passing and build successful

Co-authored-by: bbockelm <[email protected]>
@bbockelm @h2zh
Address code review feedback
c44ef2e 
- Use int64 conversion for numeric IDs to avoid floating-point precision issues
- Use url.URL struct for proper URL construction instead of string concatenation
- Add comments explaining sync.Once reset in tests
- All tests passing and build successful

Co-authored-by: bbockelm <[email protected]>
@h2zh
Add GitHub organization support for group-based authorization
8c8843e 
Implement 'github' GroupSource type that fetches GitHub organization
memberships via the /user/orgs API and uses them as groups for
authorization. This enables automatic greenlighting of GitHub org
members for token issuance without manual group management.

- Add fetchGitHubOrganizations() to query GitHub API
- Extend generateUserGroupInfo() to support GitHub group source
- Update parameters and example configuration documentation
@h2zh
Add missing config params in the example
2e6cd1e
@h2zh
GetOIDCSupportedScopes() should fall back to the value of `OIDC.Scope…
941b0cf 
…s` when OIDC metadata discovery fails.

- To support OAuth2-only providers like GitHub.
@h2zh h2zh force-pushed the copilot/add-github-authentication-support branch from 2ea56f9 to 941b0cf Compare January 12, 2026 06:32
@h2zh h2zh marked this pull request as ready for review January 12, 2026 06:32
@h2zh h2zh merged commit bf5735a into main Jan 12, 2026
28 of 30 checks passed
@h2zh h2zh mentioned this pull request Jan 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h2zh h2zh h2zh approved these changes

@bbockelm bbockelm Awaiting requested review from bbockelm

Assignees

@bbockelm bbockelm

@h2zh h2zh

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

v7.23

Development

Successfully merging this pull request may close these issues.

Add support for authenticating via GitHub

3 participants

@h2zh @bbockelm