-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add team membership check to GitHub authentication method #2849
Comments
If y'all think it's a good idea I can get it done! |
@thepabloaguilar I like it alot! Great idea. Im guessing in your example yaml above you meant One question, would you imagine they would have to have the org in a
^ this would be invalid because |
Yeah, I've forgot to change it 😆 About your question about that case I'd say it's an invalid example, a great description of the
Or we can change allowed_organizations:
- my-org // Filter only by the org
- my-other-org:my-team // Filter by te org and team Or even changing the config shape to something like this (but we'll be doing a possible breaking change): allowed_organizations:
- name: my-org
- name: my-other-org
teams:
- my-team But idk if it's a great idea |
yeah I think for simplicity and to maintain backward compat that your first example config is the best, having separate keys for |
Great then, I'll try to implement it! |
We have a "problem", GitHub API only allows us to get all the user teams without filtering by organizations! What I'll to is set the |
Yeah thats unfortunate that we have to get team membership that way, but I think its ok. As you said I doubt there are many users who are a member of that many teams. I looked at how Grafana does it as they also allow specifying orgs and team membership enforcement for GitHub OAuth. They do the same (albeit their max is 100 which I think would also be fine) https://github.com/grafana/grafana/blob/c0933fa6bb4038c519466d12bd2e61693e32a4e1/pkg/login/social/connectors/github_oauth.go#L207 Another option (maybe, haven't validated it) is using GitHub's GraphQL API. I very much dislike GraphQL personally, but maybe it makes sense here? ChatGPT said we could do it with the following query:
vars:
But I haven't validated it. Either way I think either solution would work for our needs:
wdty? |
Moving to graphql requires more changes in the server side while maintaining two different http clients (rest & graphql)! I vote to continue calling the REST API because of simplicity (already works, don't need to add extra libs) and should be better making one call returning N teams instead calling the GraphQL query N times (where N is the number of Now, about the structure we can also consider this: allowed_teams:
- org: foo-org
teams:
- my-team |
can we spell out |
Sure! I already implemented it, just need to write the server tests!! The final structure was: allowed_teams:
foo-org:
- my-team Also, I was thinking on changing from |
My only thoughts re this are that for the environment variables configuration it would be quite long:
We do have #2844 which would help alleviate this, but I think |
Yeah, we could continue with |
Hey @thepabloaguilar , just checking to see if I can help with anything, tests/etc? |
Thanks for asking @markphelps, I didn't have time to finish 😆 I guess will be able to open a PR today! |
Problem
I want to deploy Flipt with GitHub auth enabled but I want to define that only people in specific teams can access it.
Example: Only people in
my-organization
and inmy-flag-team
can access the service!Ideal Solution
Extend the current GitHub authentication method to support GitHub Org teams filter! With what I know so far we can continue relaying in
read:org
scope which theorically can also read the org team membership:If the user don't pass
allowed_teams
(which maybe can have a better name if needed) the behavior will be same as now but if that config is provided we should match the user team!My suggestion for
allowed_teams
values is to adopt the patternORG:TEAM
, so if the user provide two orgs that has two teams with the same name they can choose which team should be considered to each org:Search
Additional Context
Refs #2065
The text was updated successfully, but these errors were encountered: