OmniAuth GitHub Team Auth
This is an OmniAuth strategy for authenticating to GitHub and ensuring the user belongs to a specific team. This strategy is useful for building web apps that should only be administered by specific teams. I adapted this from an internal gem at GitHub.
To use it, you'll need to sign up for an OAuth2 Application ID and Secret on the GitHub Applications Page.
Installing
Add the gem to your Gemfile and bundle.
gem "omniauth-github-team-member"
I like to store the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET in my environment, but you don't have to if you have a preferred place to put keys and secrets. For local development I recommend the dotenv gem for setting environment variables.
Basic Usage
In the examples below, 42634
is the id of the team we are checking against. You can find the id of a team via the GitHub API, either by listing all teams for the parent org or finding all of the team memberships for a user who is on the team you are looking for.
Usage in Rails:
# config/initializers/github_omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
provider :githubteammember,
ENV['GITHUB_CLIENT_ID'],
ENV['GITHUB_CLIENT_SECRET'],
scope: 'read:org',
teams: {
"mentors_team_member?" => 426344
}
end
During the callback phase, you can check to see if the authed user is on the mentors team or not by checking the returned credentials object request.env['omniauth.auth'].credentials.mentors_team_member?
.
An example of how to integrate this strategy with OmniAuth is below. Do note that these examples are just guidelines, you will most likely need to change each example to match your application's needs.
class SessionsController
def create
@user = User.find_for_github_team_oauth(request.env['omniauth.auth'])
if @user && @user.persisted?
redirect_to root_path
else
redirect_to no_access_path
end
end
end
class User < ActiveRecord::Base
def self.find_for_github_team_oauth(access_token, signed_in_resource=nil)
# Prevents past team members from logging into existing accounts they
# created when they were previously a team member. Also ensures
# new accounts can't be created unless they are a team member.
return false unless access_token.credentials.mentors_team_member?
info = access_token.info
github_id = access_token.uid
user = find_or_initialize_by_github_id(github_id)
if user.new_record?
user.name = info.name
user.email = info.email
user.github_identifier = info.nickname
user.save
end
user
end
end
Usage in Sinatra:
use OmniAuth::Builder do
provider :githubteammember,
ENV['GITHUB_CLIENT_ID'],
ENV['GITHUB_CLIENT_SECRET'],
scope: 'read:org',
teams: {
"mentors_team_member?" => 426344
}
end
Scopes
You must require the read:org
scope to be able to access the team data associated with the authenticated user.
More info on Scopes.
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request