github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-20 06:37:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: support custom OAuth2 URLs for GitHub Enterprise and self-hosted providers (#3513)

Browse Source 
- Use custom authURL/tokenURL from config instead of hardcoded github.com endpoints
- Properly configure GitHub Enterprise API base URL from auth endpoints

Fixes OAuth2 authentication with GitHub Enterprise Server and other
self-hosted OAuth2 providers.

Signed-off-by: Mathias Bogaert <mathias.bogaert@gmail.com>
This commit is contained in:
Mathias Bogaert
2025-11-04 13:11:05 +01:00
committed by GitHub
parent fdba14b9a3
commit 3fd69faf5d
4 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/README.md
+35 -1
View File
@@ -346,7 +346,7 @@ In the case of running zot with openid enabled behind a proxy/load balancer http
"http": {
"address": "0.0.0.0",
"port": "8080",
"externalUrl: "https://zot.example.com",
"externalUrl": "https://zot.example.com",
"auth": {
"openid": {
"providers": {
@@ -362,6 +362,40 @@ In the case of running zot with openid enabled behind a proxy/load balancer http
```
This config value will be used by oauth2/openid clients to redirect back to zot.
### OpenID/OAuth2 Social Login with Custom URLs (Self-Hosted Providers)
#### Use Cases
- GitHub Enterprise Server (on-premises GitHub)
- GitLab Self-Managed instances
- Custom corporate OAuth2/OIDC providers
When integrating zot with self-hosted OAuth2 providers like GitHub Enterprise Server, GitLab Self-Managed,
or custom OIDC implementations, you must specify custom authentication and token endpoints since
the default public endpoints won't work.
```
"http": {
"address": "0.0.0.0",
"port": "8080",
"externalUrl": "https://zot.example.com",
"auth": {
"openid": {
"providers": {
"github": {
"clientid": <client_id>,
"clientsecret": <client_secret>,
"authurl": "https://github.company.com/login/oauth/authorize", // Custom GHE authorization endpoint
"tokenurl": "https://github.company.com/login/oauth/access_token", // Custom GHE token endpoint
"scopes": ["read:org", "user", "repo"]
}
}
}
}
}
```
Without `authurl`/`tokenurl`, zot assumes public GitHub.com endpoints.
### Session based login
Whenever a user logs in zot using any of the auth options available(basic auth/openid) zot will set a 'session' cookie on its response.