fix: support custom OAuth2 URLs for GitHub Enterprise and self-hosted providers (#3513)

- Use custom authURL/tokenURL from config instead of hardcoded github.com endpoints
- Properly configure GitHub Enterprise API base URL from auth endpoints

Fixes OAuth2 authentication with GitHub Enterprise Server and other
self-hosted OAuth2 providers.

Signed-off-by: Mathias Bogaert <mathias.bogaert@gmail.com>

pkg/api/authn.go

@@ -615,12 +615,24 @@ func NewRelyingPartyGithub(config *config.Config, provider string, hashKey, encr
 	_, clientID, clientSecret, redirectURI, scopes,
 		options := getRelyingPartyArgs(config, provider, hashKey, encryptKey, log)
 
+	var endpoint oauth2.Endpoint
+
+	// Use custom endpoints if provided, otherwise fallback to GitHub's endpoints
+	if provider := config.HTTP.Auth.OpenID.Providers[provider]; provider.AuthURL != "" && provider.TokenURL != "" {
+		endpoint = oauth2.Endpoint{
+			AuthURL:  provider.AuthURL,
+			TokenURL: provider.TokenURL,
+		}
+	} else {
+		endpoint = githubOAuth.Endpoint
+	}
+
 	rpConfig := &oauth2.Config{
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
 		RedirectURL:  redirectURI,
 		Scopes:       scopes,
-		Endpoint:     githubOAuth.Endpoint,
+		Endpoint:     endpoint,
 	}
 
 	relyingParty, err := rp.NewRelyingPartyOAuth(rpConfig, options...)

pkg/api/config/config.go

@@ -167,6 +167,8 @@ type OpenIDProviderConfig struct {
 	ClientSecret    string
 	KeyPath         string
 	Issuer          string
+	AuthURL         string
+	TokenURL        string
 	Scopes          []string
 }
 
@@ -606,6 +608,8 @@ func (c *Config) Sanitize() *Config {
 					ClientSecret: "******",
 					KeyPath:      config.KeyPath,
 					Issuer:       config.Issuer,
+					AuthURL:      config.AuthURL,
+					TokenURL:     config.TokenURL,
 					Scopes:       config.Scopes,
 				}
 			}

pkg/api/config/config_test.go

@@ -119,6 +119,8 @@ func TestConfig(t *testing.T) {
 							Name:         "GitHub",
 							ClientID:     "github-client-id",
 							ClientSecret: "github-client-secret",
+							AuthURL:      "github-auth-url",
+							TokenURL:     "github-token-url",
 							Scopes:       []string{"user:email"},
 						},
 					},
@@ -143,6 +145,8 @@ func TestConfig(t *testing.T) {
 			// Verify original config is not modified
 			So(conf.HTTP.Auth.OpenID.Providers["google"].ClientSecret, ShouldEqual, "google-client-secret")
 			So(conf.HTTP.Auth.OpenID.Providers["github"].ClientSecret, ShouldEqual, "github-client-secret")
+			So(conf.HTTP.Auth.OpenID.Providers["github"].AuthURL, ShouldEqual, "github-auth-url")
+			So(conf.HTTP.Auth.OpenID.Providers["github"].TokenURL, ShouldEqual, "github-token-url")
 		})
 
 		Convey("Test Sanitize() with Event sink credentials", func() {