No commit activity in last 3 years
No release in over 3 years
OmniAuth strategy for GitHub Team Auth.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

Runtime

 Project Readme

OmniAuth GitHub Team Auth

This is an OmniAuth strategy for authenticating to GitHub and ensuring the user belongs to a specific team. This strategy is useful for building web apps that should only be administered by specific teams. I adapted this from an internal gem at GitHub.

To use it, you'll need to sign up for an OAuth2 Application ID and Secret on the GitHub Applications Page.

Installing

Add the gem to your Gemfile and bundle.

gem "omniauth-github-team-member"

I like to store the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET in my environment, but you don't have to if you have a preferred place to put keys and secrets. For local development I recommend the dotenv gem for setting environment variables.

Basic Usage

In the examples below, 42634 is the id of the team we are checking against. You can find the id of a team via the GitHub API, either by listing all teams for the parent org or finding all of the team memberships for a user who is on the team you are looking for.

Usage in Rails:

# config/initializers/github_omniauth.rb

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :githubteammember,
    ENV['GITHUB_CLIENT_ID'],
    ENV['GITHUB_CLIENT_SECRET'],
    scope: 'read:org',
    teams: {
      "mentors_team_member?" => 426344
    }
end

During the callback phase, you can check to see if the authed user is on the mentors team or not by checking the returned credentials object request.env['omniauth.auth'].credentials.mentors_team_member?.

An example of how to integrate this strategy with OmniAuth is below. Do note that these examples are just guidelines, you will most likely need to change each example to match your application's needs.

class SessionsController
  def create
    @user = User.find_for_github_team_oauth(request.env['omniauth.auth'])

    if @user && @user.persisted?
      redirect_to root_path
    else
      redirect_to no_access_path
    end
  end
end
class User < ActiveRecord::Base
  def self.find_for_github_team_oauth(access_token, signed_in_resource=nil)
    # Prevents past team members from logging into existing accounts they
    # created when they were previously a team member. Also ensures
    # new accounts can't be created unless they are a team member.
    return false unless access_token.credentials.mentors_team_member?

    info = access_token.info
    github_id = access_token.uid
    user = find_or_initialize_by_github_id(github_id)

    if user.new_record?
      user.name = info.name
      user.email = info.email
      user.github_identifier = info.nickname
      user.save
    end

    user
  end
end

Usage in Sinatra:

use OmniAuth::Builder do
  provider :githubteammember,
    ENV['GITHUB_CLIENT_ID'],
    ENV['GITHUB_CLIENT_SECRET'],
    scope: 'read:org',
    teams: {
      "mentors_team_member?" => 426344
    }
end

Scopes

You must require the read:org scope to be able to access the team data associated with the authenticated user.

More info on Scopes.

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Contributors