[Bug]: Invalid authentication via OAuth2 via Github for the owner of the organisation

[rockhouse]

OAuth2-Proxy Version

v.7.6.0

Provider

github

Expected Behaviour

Login should be possible

Current Behaviour

We are trying to upgrade oauth2-proxy from v6.1.1 to the latest v.7.6.0. We are using Github as oauth2 provider.

For some reasons only for one user in the organisation that change does not work. So there are multiple people in the organisation and for one person it shows:

[AuthFailure] Invalid authentication via OAuth2: unauthorised

Unfortunately that is all in terms of error messages. It does find the user in the organisation apparently, as this is also printed to the logs during login:

[2024/04/26 15:48:53] [github.go:463] Member of Github Organization:"xxxx"
[2024/04/26 15:48:54] [github.go:506] Member of Github Organization/Team:"xxxx"/"xxxx"
[2024/04/26 15:48:54] [internal_util.go:73] 200 GET https://api.github.com/ {"current_user_url":"https://api.github.com/user","current_user_authorizations_html_url":"https://github.com/settings/connections/applications{/client_id}","authorizations_url":"https://api.github.com/authorizations","code_search_url":"https://api.github.com/search/code?q={query}{&page,per_page,sort,order}","commit_search_url":"https://api.github.com/search/commits?q={query}{&page,per_page,sort,order}","emails_url":"https://api.github.com/user/emails","emojis_url":"https://api.github.com/emojis","events_url":"https://api.github.com/events","feeds_url":"https://api.github.com/feeds","followers_url":"https://api.github.com/user/followers","following_url":"https://api.github.com/user/following{/target}","gists_url":"https://api.github.com/gists{/gist_id}","hub_url":"https://api.github.com/hub","issue_search_url":"https://api.github.com/search/issues?q={query}{&page,per_page,sort,order}","issues_url":"https://api.github.com/issues","keys_url":"https://api.github.com/user/keys","label_search_url":"https://api.github.com/search/labels?q={query}&repository_id={repository_id}{&page,per_page}","notifications_url":"https://api.github.com/notifications","organization_url":"https://api.github.com/orgs/{org}","organization_repositories_url":"https://api.github.com/orgs/{org}/repos{?type,page,per_page,sort}","organization_teams_url":"https://api.github.com/orgs/{org}/teams","public_gists_url":"https://api.github.com/gists/public","rate_limit_url":"https://api.github.com/rate_limit","repository_url":"https://api.github.com/repos/{owner}/{repo}","repository_search_url":"https://api.github.com/search/repositories?q={query}{&page,per_page,sort,order}","current_user_repositories_url":"https://api.github.com/user/repos{?type,page,per_page,sort}","starred_url":"https://api.github.com/user/starred{/owner}{/repo}","starred_gists_url":"https://api.github.com/gists/starred","topic_search_url":"https://api.github.com/search/topics?q={query}{&page,per_page}","user_url":"https://api.github.com/users/{user}","user_organizations_url":"https://api.github.com/user/orgs","user_repositories_url":"https://api.github.com/users/{user}/repos{?type,page,per_page,sort}","user_search_url":"https://api.github.com/search/users?q={query}{&page,per_page,sort,order}"}
xxxxxxx - fb033564-7e26-4cc6-828f-xxxxxxx - - [2024/04/26 15:48:54] [AuthFailure] Invalid authentication via OAuth2: unauthorized
xxxxxxx - fb033564-7e26-4cc6-828f-xxxxxxx - - [2024/04/26 15:48:53] xxxx.monitoring.xxxxx.com GET - "/oauth2/callback?code=xxxxxxxxxx&s4tate=xxxxxxxx-xxxxxxxx%3A%2F" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 403 2569 1.343

The scope we extended to include read:org based on this #2196 (comment) but did not help.

The user is not just part of the organisation but actually the owner so access rights should not be an issue.

Steps To Reproduce

Possible Solutions

No response

Configuration details or additional information

The config we are using:

      --client-id=xxxxx
      --client-secret=xxxxx
      --cookie-secret=xxxxx
      --email-domain='*'
      --scope='user:email read:org'
      --provider=github
      --http-address=':4180'
      --reverse-proxy=true
      --footer='-'
      --skip-provider-button=true

[tuunit]

Hi @rockhouse,

try to completely remove the scope flag.

[tuunit]

You only use the flags mentioned in your config above? No other settings via environment variables?

[rockhouse]

@tuunit Thanks for the hint, but unfortunately does not solve the issue. There are no other settings via env vars.

[rockhouse]

One thing changed though I only see: Member of Github Organization/Team: in the logs and not two entries like in my first message.

[rockhouse]

@tuunit any other ideas?

Also would be nice to get more debugging output to analyse the problem better, any idea how to achieve that?

[shepwalker]

I think I've identified the issue. It looks like the email address isn't populating correctly for some users. Specifically, it's this loop here:

oauth2-proxy/providers/github.go

Line 325 in e058c4d

for _, email := range emails {

if the user's primary email address isn't verified, it doesn't return an email address at all which causes this check:

oauth2-proxy/oauthproxy.go

Line 924 in e058c4d

if p.Validator(session.Email) && authorized {

to fail.
@rockhouse would you be willing to confirm that the user you're seeing this with meets this condition? if not, i'll spin up a new Issue for it.
Happy to PR this - just not sure what proper behavior should be - either primary email address or first validated email address I guess?

[rockhouse]

Thanks @shepwalker it was indeed the primary mail issue. For some reason my primary mail account on github was "unavailable" after I have reset the mail and made sure I have a primary mail set in my github account profile I could log in again via oauth2.

[rockhouse]

@shepwalker if you need anything from me to further analyse the problem let me know otherwise I will close the issue for now. Thank you for your help