search

vouch / vouch-proxy

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
MIT License
2.92k stars 327 forks source link

Email value not set so auth fails when using Github provider #563

Closed sigrdrifa closed 5 months ago

sigrdrifa commented 5 months ago

Hey, I'm trying to setup vouch with a Github provider but even though I can see the authentication happening, after the redirect I get a "403 Forbidden" on any protected domain/page I'm trying to view.

Looking at the vouch logs I can see that the problem is that the Github auth response payload for the user does not have the Email field set, it has a value of nil, despite the fact that I'm using the default scopes, and this even happens when I change the scope to include "user:email".

The vouch logs are here:

vouch-proxy_1  | {"level":"info","ts":1716986627.505399,"msg":"github userinfo body: {\"login\":\"sigrdrifa\",\"id\":83576392,\"node_id\":\"MDQ6VXNlcjgzNTc2Mzky\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/83576392?v=4\",\"gravatar_id\":\"\",\"url\":\"https://api.github.com/users/sigrdrifa\",\"html_url\":\"https://github.com/sigrdrifa\",\"followers_url\":\"https://api.github.com/users/sigrdrifa/followers\",\"following_url\":\"https://api.github.com/users/sigrdrifa/following{/other_user}\",\"gists_url\":\"https://api.github.com/users/sigrdrifa/gists{/gist_id}\",\"starred_url\":\"https://api.github.com/users/sigrdrifa/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/sigrdrifa/subscriptions\",\"organizations_url\":\"https://api.github.com/users/sigrdrifa/orgs\",\"repos_url\":\"https://api.github.com/users/sigrdrifa/repos\",\"events_url\":\"https://api.github.com/users/sigrdrifa/events{/privacy}\",\"received_events_url\":\"https://api.github.com/users/sigrdrifa/received_events\",\"type\":\"User\",\"site_admin\":false,\"name\":\"sig\",\"company\":null,\"blog\":\"\",\"location\":null,\"email\":null,\"hireable\":null,\"bio\":\"I like to code silly things on Linux\",\"twitter_username\":null,\"public_repos\":17,\"public_gists\":0,\"followers\":35,\"following\":2,\"created_at\":\"2021-05-03T08:10:17Z\",\"updated_at\":\"2024-05-27T22:12:14Z\",\"private_gists\":0,\"total_private_repos\":0,\"owned_private_repos\":0,\"disk_usage\":14940,\"collaborators\":0,\"two_factor_authentication\":true,\"plan\":{\"name\":\"free\",\"space\":976562499,\"collaborators\":0,\"private_repos\":10000}}"}
vouch-proxy_1  | {"level":"warn","ts":1716986627.5063438,"msg":"not a valid email: "}
vouch-proxy_1  | {"level":"warn","ts":1716986627.5068169,"msg":"/auth User is not authorized: verifyUser: Email  is not within a Vouch Proxy managed domain . Please try again or seek support from your administrator"}

Note that the email value is NULL.

While my vouch config provider section is pretty simple with:

  cookie:
    secure: true

oauth:
  provider: github
  client_id: <id>
  client_secret: <secret>

Any idea what could be going on here?

Thanks!

bnfinet commented 5 months ago

Happy to help you with that. Gonna need more info. Please read the README and provide all that stuff in the manor suggested.

sigrdrifa commented 5 months ago

Sure thing! I'll get those things posted tomorrow

bnfinet commented 5 months ago

I'm going to close this, feel free to post your logs and we can work it