diff --git a/Documentation/connectors/github.md b/Documentation/connectors/github.md
index ddf118691cab995a4f678a5c92af933e30a93843..fa8f0eb219229928fc0c95d4c28aaf13e3ff5da2 100644
--- a/Documentation/connectors/github.md
+++ b/Documentation/connectors/github.md
@@ -45,8 +45,8 @@ connectors:
# If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
# authenticate with dex.
#
- # If neither 'org' nor 'orgs' are specified in the config then user authenticate with ALL user's Github groups.
- # Typical use case for this setup:
+ # If neither 'org' nor 'orgs' are specified in the config and 'loadAllGroups' setting set to true then user
+ # authenticate with ALL user's Github groups. Typical use case for this setup:
# provide read-only access to everyone and give full permissions if user has 'my-organization:admins-team' group claim.
orgs:
- name: my-organization
@@ -56,6 +56,8 @@ connectors:
teams:
- red-team
- blue-team
+ # Flag which indicates that all user groups and teams should be loaded.
+ loadAllGroups: false
# Optional choice between 'name' (default) or 'slug'.
#
diff --git a/connector/github/github.go b/connector/github/github.go
index 977d190fe6de46a15346bee09897d81bac76d215..48efd52d33bc17bff4ddc10a7041495ab7288498 100644
--- a/connector/github/github.go
+++ b/connector/github/github.go
@@ -48,6 +48,7 @@ type Config struct {
HostName string `json:"hostName"`
RootCA string `json:"rootCA"`
TeamNameField string `json:"teamNameField"`
+ LoadAllGroups bool `json:"loadAllGroups"`
}
// Org holds org-team filters, in which teams are optional.
@@ -107,6 +108,7 @@ func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector
}
}
+ g.loadAllGroups = c.LoadAllGroups
switch c.TeamNameField {
case "name", "slug", "":
@@ -142,8 +144,11 @@ type githubConnector struct {
// Used to support untrusted/self-signed CA certs.
rootCA string
// HTTP Client that trusts the custom delcared rootCA cert.
- httpClient *http.Client
+ httpClient *http.Client
+ // optional choice between 'name' (default) or 'slug'
teamNameField string
+ // if set to true and no orgs are configured then connector loads all user claims (all orgs and team)
+ loadAllGroups bool
}
// groupsRequired returns whether dex requires GitHub's 'read:org' scope. Dex
@@ -325,7 +330,7 @@ func (c *githubConnector) getGroups(ctx context.Context, client *http.Client, gr
return c.groupsForOrgs(ctx, client, userLogin)
} else if c.org != "" {
return c.teamsForOrg(ctx, client, c.org)
- } else if groupScope {
+ } else if groupScope && c.loadAllGroups {
return c.userGroups(ctx, client)
}
return nil, nil
diff --git a/connector/github/github_test.go b/connector/github/github_test.go
index 7069091de8e4ab98e243240b8e4fc9059a486473..9220cc62e5eb63e00c4b893cdb6cddf6a62d04eb 100644
--- a/connector/github/github_test.go
+++ b/connector/github/github_test.go
@@ -115,6 +115,9 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
"expires_in": "30",
}},
+ "/user/orgs": {
+ data: []org{{Login: "org-1"}},
+ },
})
defer s.Close()
@@ -125,10 +128,18 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
expectNil(t, err)
c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
- identity, err := c.HandleCallback(connector.Scopes{}, req)
+ identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+
+ expectNil(t, err)
+ expectEquals(t, identity.Username, "some-login")
+ expectEquals(t, 0, len(identity.Groups))
+
+ c = githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient(), loadAllGroups: true}
+ identity, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
expectNil(t, err)
expectEquals(t, identity.Username, "some-login")
+ expectEquals(t, identity.Groups, []string{"org-1"})
}