Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug (v5-beta1) GitHub Login #10823

Closed
Xopherus opened this issue Feb 7, 2018 · 9 comments
Closed

Bug (v5-beta1) GitHub Login #10823

Xopherus opened this issue Feb 7, 2018 · 9 comments
Milestone
5.0.0-beta2

Comments

@Xopherus
Copy link

Xopherus commented Feb 7, 2018

I'm using the new v5 beta with the github auth plugin.

Here's our config:

[auth.github]
enabled = true
allow_sign_up = true
client_id = ${github_client_id}
client_secret = ${github_client_secret}
scopes = user:email,read:org
auth_url = https://github.com/login/oauth/authorize
token_url = https://github.com/login/oauth/access_token
api_url = https://github.com/gitapi/user
team_ids = ${github_team_id}
allowed_organizations = ${github_team_name}

When a user (who belongs to the github organization) attempts to login we receive:

image

I was able to get some info from the logs:

t=2018-02-07T14:51:24+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/login/github status=302 remote_addr=10.x.x.x. time_ms=0 size=304 referer=https://grafana.mydomain.com/login
t=2018-02-07T14:51:25+0000 lvl=eror msg="User not a member of one of the required organizations" logger=context userId=0 orgId=0 uname=
@DanCech
Copy link
Collaborator

DanCech commented Feb 7, 2018

Have you verified that the ${github_team_name} in your config matches your github organization? If you are using team_ids then you can also just set allowed_organizations = since you're already restricting by team id which is more specific anyway.

@Xopherus
Copy link
Author

Xopherus commented Feb 7, 2018

Yep, I've verified that. Those have not changed during the upgrade. 4.6 was stable with that configuration, the 5.0 beta is not.

@Xopherus
Copy link
Author

Xopherus commented Feb 7, 2018
edited
Loading

This seems to be related to the changes in #10112, specifically if your user is a member of a private GitHub org.

I can lookup my user to get the organization URL:

curl -H "Authorization: token foobar" https://github.com/gitapi/user

{
  "login": "Xopherus",
  "organizations_url": "https://github.com/gitapi/users/Xopherus/orgs",
  "type": "User",
}

Then if I curl the organization_url returned in that response, I don't get back all of the orgs I belong to.

curl -H "Authorization: token foobar" https://github.com/gitapi/users/Xopherus/orgs

[
  {
    "login": "zerofox-oss",
    "url": "https://github.com/gitapi/orgs/zerofox-oss",
  }
]

It seems like we should be using GET /user/orgs instead of GET /user/:user/orgs. That way if you're running Grafana with a private GitHub org you can still login.

inish777 added a commit to inish777/grafana that referenced this issue Feb 9, 2018
@inish777
Fix of grafana#10823
a2dfbb9
@torkelo torkelo added this to the 5.0.0-beta2 milestone Feb 12, 2018
@torkelo torkelo closed this as completed Feb 12, 2018
torkelo pushed a commit that referenced this issue Feb 12, 2018
@inish777 @torkelo
Fix #10823 (#10851)
1b795c0 
* Fix of #10823

* Typo fix

* Revert Gopkg.lock
ryantxu added a commit to NatelEnergy/grafana that referenced this issue Feb 13, 2018
@ryantxu
Merge remote-tracking branch 'grafana/master'
d3efb57 
* grafana/master:
  new dashboard is now hidden from viewer, fixes grafana#10815 (grafana#10854)
  fixed bg gradient, fixes grafana#10869 (grafana#10875)
  login: fix broken reset password form (grafana#10881)
  docs: spelling.
  dashboard: always make sure dashboard exist in dashboard acl http api (grafana#10856)
  Fix grafana#10823 (grafana#10851)
  provisioning: better variable naming
  provisioning: dont return error unless you want to cancel all operations
  provisioning: createWalkFn doesnt have to be attached to the filereader anymore
  provisioning: update sample config to use path
  provisioning: avoid caching and use updated field from db
  provisioning: delete dashboards before insert/update
  provisioning: fixed bug in saving dashboards.
  provisioning: delete dashboards from db when file is missing
  provisioning: enables title changes for dashboards
  dashboards: save provisioning meta data
  provisioing: add lookup table provisioned dashboards
  codestyle: extract code into methods
@IngmarStein
Copy link

We've just updated from 4.6.3 to 5.0.0 beta 3 and GitHub authentication now results in the "User not a member of one of the required organizations". The configuration is supplied through environment variables and is unchanged from the previous version which authenticated successfully.

@inish777
Copy link
Contributor

@IngmarStein @torkelo I'll investigate it and fix in 24 hours

@pesimon
Copy link

pesimon commented Feb 20, 2018

Seeing same issue here with priv Github Org and 5.0.0-beta4

@torkelo
Copy link
Member

torkelo commented Feb 20, 2018

fix is coming in beta5 (or get it now in nightly build), reverted the #10823 change that caused the issue

@pesimon
Copy link

pesimon commented Feb 20, 2018

Just checked Grafana v5.0.0-beta4 (commit: 3964d6b) but still
t=2018-02-20T15:47:26+0000 lvl=eror msg="User not a member of one of the required organizations" logger=context userId=0 orgId=0 uname= unfortunately.

@pesimon
Copy link

pesimon commented Feb 28, 2018

#11028 works. thx a lot

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.0.0-beta2
Development

No branches or pull requests
6 participants
@torkelo @IngmarStein @inish777 @pesimon @DanCech @Xopherus