OAuth2: Configuring Github for OAuth2

Github allows users or systems to access their API via OAuth2.  Although this mechanism is often used on the public internet for authentication of users into a 3rd party site, note that OIDC is not implemented.

In this article, I will show how to use the Spotify Dashboard to configure an Application that can support OAuth2.  We will then use a small, local Docker image to implement the Client Application side and smoke test the solution.

Prerequisites

Go to your Github OAuth settings

Login to your github.com account, and click on your profile pic at the top right, then select “Settings”.

https://github.com/settings/profile

As shown in screenshots in the official docs, select “Developer Settings” from the bottom of the left hand navigation.  Then “OAuth Apps”.

Create an OAuth Application

Press the “New OAuth App” button.

Use the name “ghubtest1”, homepage “http://localhost:8080”, and Authorization callback URL “http://localhost:8080/login/github/callback”.  Then press “Register Appliation”.

Configure the OAuth2 Application

You will then be directed to the Application main page, where it will show you the name and the generated OAuth2 client id.  You will need to press the “Generate a new client secret” button, and it will then show the OAuth2 client secret.

The client id and client secret need to be copied down for use in testing later.

As described in the documentation, press the “Create an App” button.  Use the name and description “spotifytest1”, check the agreement box, and press “Create”.

Validate flow with sample Client Application

You now have the necessary Github App configuration to support OAuth2 from the “Authentication Server” perspective. You can validate by using your browser and a small local web application that will serve as the OAuth2 “Client Application” entity.

I would recommend you enable the developer mode of your browser (F12 on Firefox and Chrome), so you can follow along with the network requests being made.

I have built a small Docker image using Go that serves the role of “Client Application” and starts a web server on localhost:8080, and is ready to accept a code back from github at “http://localhost:8080/login/github/callback”

export AUTH_SERVER=github.com
export AUTH_PROVIDER=github

# values shown after App creation
export CLIENT_ID=<the oauth2 client id>
export CLIENT_SECRET=<the oauth2 client secret>

export SCOPE="user"

# remove any older container runs
docker rm oauth2-client-app-golang

# run docker image locally, listening on localhost:8080
docker run -it --rm \
--name oauth2-client-app-golang \
--network host \
-p 8080:8080 \
-e AUTH_PROVIDER=$AUTH_PROVIDER \
-e AUTH_SERVER=$AUTH_SERVER \
-e CLIENT_ID=$CLIENT_ID \
-e CLIENT_SECRET=$CLIENT_SECRET \
-e SCOPE="$SCOPE" \
fabianlee/oauth2-client-app-golang:1.0.0

Pointing your browser at http://localhost:8080 will show a simple web page with a login link.

Press “OAuth2 LOGIN to github” and it will redirect you to “localhost:8080/login/”, which silently redirects to  Github at “https://github.com/login/oauth/authorize” with parameters client_id, scope, and redirect_uri.

Github will then display a login form where you can enter in the credentials of a valid Github user.  Use the same credentials that you signed into the developer console with, and press “LOG IN”.

An OAuth2 consent page will then display with a set of permissions based on the scopes.  Press “Authorize”.

From the browser developer console you will see a GET response back to the “http://localhost:8080/login/github/callback” with a code parameter.

Opaque to the end user, the Client web application then takes this code and exchanges it for an Access Token via POST to https://github.com/login/oauth/access_token.  You can see these values in the container console.

The Github user info endpoint at https://api.github.com/user is then called with an “Authorization: Bearer <accessToken>” header to show user details and prove out access token validity.

 

REFERENCES

github docs on OAuth2

github docs on OAuth2 scopes

fabianlee github, oauth2-client-app-golang

fabianlee dockerhub, oauth2-client-app-golang