{"id":34587428,"url":"https://github.com/ashleykleynhans/github-oauth-proxy","last_synced_at":"2026-02-12T16:00:59.152Z","repository":{"id":147098742,"uuid":"537222431","full_name":"ashleykleynhans/github-oauth-proxy","owner":"ashleykleynhans","description":"Webhook to proxy Github oAuth2 user information to Spinnaker","archived":false,"fork":false,"pushed_at":"2025-09-25T05:59:33.000Z","size":41,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-25T07:24:55.246Z","etag":null,"topics":["github","lambda","oauth2","proxy","spinnaker","webhook","zappa"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ashleykleynhans.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-09-15T22:14:12.000Z","updated_at":"2025-09-25T05:59:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"81549d5a-8d56-44d4-9b33-24f503df2c21","html_url":"https://github.com/ashleykleynhans/github-oauth-proxy","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/ashleykleynhans/github-oauth-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashleykleynhans%2Fgithub-oauth-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashleykleynhans%2Fgithub-oauth-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashleykleynhans%2Fgithub-oauth-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashleykleynhans%2Fgithub-oauth-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ashleykleynhans","download_url":"https://codeload.github.com/ashleykleynhans/github-oauth-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ashleykleynhans%2Fgithub-oauth-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29371380,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-12T08:51:36.827Z","status":"ssl_error","status_checked_at":"2026-02-12T08:51:26.849Z","response_time":55,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","lambda","oauth2","proxy","spinnaker","webhook","zappa"],"created_at":"2025-12-24T10:35:17.722Z","updated_at":"2026-02-12T16:00:59.134Z","avatar_url":"https://github.com/ashleykleynhans.png","language":"Python","funding_links":["https://www.buymeacoffee.com/ashleyk"],"categories":[],"sub_categories":[],"readme":"# Github oAuth2 Proxy for Spinnaker\n\n[![Python Version: 3.12](\nhttps://img.shields.io/badge/Python%20application-v3.12-blue\n)](https://www.python.org/downloads/release/python-3123/)\n[![License: GPL 3.0](\nhttps://img.shields.io/github/license/ashleykleynhans/github-oauth-proxy\n)](https://opensource.org/licenses/GPL-3.0)\n\n## Background\n\nSpinnaker supports the Github oAuth2 provider, but unfortunately the\ndetail from the user profile is not very useful to restrict access to\nthe Spinnaker instance based on permissions, such as requiring the user\nto belong to a specific Github organization for example.  This means\nthat anyone with a Github account is then able to log in to your\nSpinnaker instance.\n\nThis proxy not only calls the Github user endpoint, but also calls\nthe Github orgs and emails endpoints in order to gather more verbose\ninformation about a user so that you can require one or more of the\nfollowing permissions:\n\n- User must belong to a specific Github organization.\n- User must have an email account associated with their Github account\nthat matches a specific domain name.\n- User must have their email account that matches a specific domain\nname set as their primary email address on their Github account.\n\n## Prerequisites\n\n1. Install [ngrok](https://ngrok.com/).\n   ```bash\n   brew install ngrok\n   ```\n2. Ensure your System Python3 version is 3.12.\n   ```bash\n   python3 -V\n   ```\n3. If your System Python is not 3.12:\n   ```bash\n   brew install python@3.12\n   brew link python@3.12\n   ```\n\n## Configuring required conditions, and/or user mapping (optional)\n\nThese steps are completely **optional**, and only need to be\nconfigured if you require additional preconditions for a Github\nuser to be able to log in to Spinnaker.\n\n1. Create a file called `config.yml`.\n2. If you require that a Github user is a member of your specific\nGithub organisation, insert the following content:\n   ```yaml\n   ---\n   github:\n     required:\n       org: ExampleDotCom\n   ```\n3. If you require that a Github user has your company email configured\nas one of their email addresses in their Github account:\n   ```yaml\n   ---\n   github:\n     required:\n       email:\n         domain: example.com\n   ```\n4. If you require that a Github user has your company email configured\n   as one of their email addresses, and that it is set as their primary\n   email address in their Github account:\n   ```yaml\n   ---\n   github:\n     required:\n       email:\n         domain: example.com\n         domain_required_as_primary: true\n   ```\n5. If you want to map the Github username/login to something more\n   meaningful:\n   ```yaml\n   ---\n   spinnaker:\n     username_mapping:\n       githubuser123: marcus\n       githubuser456: susan\n       githubuser789: james\n   ```\n   For example, if the Github username is `githubuser123`, it will be\n   remapped to `marcus` etc.\n\n## Running Tests\n\n1. Create a Python 3.12 Virtual Environment:\n   ```bash\n   python3 -m venv venv/py3.12\n   source venv/py3.12/bin/activate\n   ```\n2. Install the test dependencies:\n   ```bash\n   pip3 install -r requirements-test.txt\n   ```\n3. Run the tests:\n   ```bash\n   pytest -v\n   ```\n   A coverage report will be included automatically.\n\n## Testing your Webhook\n\n1. Run the webhook receiver from your terminal.\n   ```bash\n   python3 webhook.py\n   ```\n2. Open a new terminal window and use [ngrok](https://ngrok.com/) to create\n   a URL that is publicly accessible through the internet by creating a tunnel\n   to the webhook receiver that is running on your local machine.\n   ```bash\n   ngrok http 8090\n   ```\n3. Note that the ngrok URL will change if you stop ngrok and run it again,\n   so keep it running in a separate terminal window, otherwise you will not\n   be able to test your webhook successfully.\n4. Take note of the URL that is returned by ngrok (don't stop it).\n5. Edit/create your `/home/spinnaker/.hal/default/profiles/gate-local.yml`\n   Gate configuration file, and insert the following contents, obviously\n   replacing the `clientId`, `clientSecret`, `preEstablishedRedirectUri`\n   and `userInfoUri` with your own.\n   ```yml\n   security:\n     oauth2:\n       enabled: true\n       client:\n         clientId: YOUR_GITHUB_CLIENT_ID_GOES_HERE\n         clientSecret: YOUR_GITHUB_CLIENT_SECRET_GOES_HERE\n         accessTokenUri: https://github.com/login/oauth/access_token\n         userAuthorizationUri: https://github.com/login/oauth/authorize\n         scope: user:email,read:org\n         preEstablishedRedirectUri: http://YOUR_GATE_URL/login\n         useCurrentUri: false\n       resource:\n         userInfoUri: https://f00d-00-111-0-111.ngrok.io/info\n       userInfoMapping:\n         email: email\n         firstName: firstname\n         lastName: lastname\n         username: username\n   ```\n\n## Deploy to AWS Lambda\n\n1. Create a Python 3.12 Virtual Environment:\n   ```bash\n   python3 -m venv venv/py3.12\n   source venv/py3.12/bin/activate\n   ```\n2. Upgrade pip.\n   ```bash\n   python3 -m pip install --upgrade pip\n   ```\n3. Install the Python dependencies that are required by the Webhook receiver:\n   ```bash\n   pip3 install -r requirements.txt\n   ```\n4. Create a file called `zappa_settings.json` and insert the JSON content below\nto configure your AWS Lambda deployment:\n   ```json\n   {\n       \"user\": {\n           \"app_function\": \"webhook.app\",\n           \"aws_region\": \"us-west-2\",\n           \"lambda_description\": \"Github oAuth2 Proxy for Spinnaker\",\n           \"profile_name\": \"default\",\n           \"project_name\": \"yourproject\",\n           \"runtime\": \"python3.12\",\n           \"s3_bucket\": \"github-oauth2-proxy\",\n           \"tags\": {\n              \"service\": \"github-oauth2-proxy\"\n           }\n       }\n   }\n   ```\n5. Use [Zappa](https://github.com/Zappa/Zappa) to deploy your Webhook\n   to AWS Lambda (this is installed as part of the dependencies above):\n   ```bash\n   zappa deploy\n   ```\n6. Take note of the URL that is returned by the `zappa deploy` command,\n   eg. `https://1d602d00.execute-api.us-east-1.amazonaws.com/github-webhook`\n   (obviously use your own and don't copy and paste this one, or your\n   Webhook will not work).\n\n   **NOTE:** If you get the following error when running the `zappa deploy` command:\n\n   \u003cpre\u003e\n   botocore.exceptions.ClientError:\n   An error occurred (IllegalLocationConstraintException) when calling\n   the CreateBucket operation: The unspecified location constraint\n   is incompatible for the region specific endpoint this request was sent to.\n   \u003c/pre\u003e\n\n   This error usually means that your S3 bucket name is not unique, and that you\n   should change it to something different, since the S3 bucket names are not\n   namespaced and are global for everyone.\n7. Check the status of the API Gateway URL that was created by zappa:\n   ```bash\n   zappa status\n   ```\n8. Test your webhook by making a curl request to the URL that was returned\n   by `zappa deploy`:\n   ```\n   curl https://1d602d00.execute-api.us-east-1.amazonaws.com/user\n   ```\n   You should expect the following response:\n   ```json\n   {\"status\":\"ok\"}\n   ```\n9. Update your `userInfoUri` URL in your Spinnaker\n   `/home/spinnaker/.hal/default/profiles/gate-local.yml` configuration file\n   to the one returned by the `zappa deploy` command and append the\n   `/info` endpoint.\n   ```yaml\n       resource:\n         userInfoUri: https://1d602d00.execute-api.us-east-1.amazonaws.com/user/info\n   ```\n10. You can view your logs by running:\n   ```bash\n   zappa tail\n   ```\n\n## Community and Contributing\n\nPull requests and issues on [GitHub](https://github.com/ashleykleynhans/github-oauth-proxy)\nare welcome. Bug fixes and new features are encouraged.\n\n## Appreciate my work?\n\n\u003ca href=\"https://www.buymeacoffee.com/ashleyk\" target=\"_blank\"\u003e\u003cimg src=\"https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png\" alt=\"Buy Me A Coffee\" style=\"height: 60px !important;width: 217px !important;\" \u003e\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashleykleynhans%2Fgithub-oauth-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fashleykleynhans%2Fgithub-oauth-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashleykleynhans%2Fgithub-oauth-proxy/lists"}