binarybeach/bb-plane-fork
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

binarybeachio: repurpose GitHub OAuth as Zitadel OIDC

Browse source 
Patches the plane-backend GitHubOAuthProvider so the /auth/github/*
flow points at our self-hosted Zitadel instance when ZITADEL_DOMAIN
is set, and falls back to vanilla GitHub OAuth when unset (regression-
safe). Touch surface is one backend file plus a cosmetic frontend
label change. Full rationale, configuration steps, refresh procedure,
and AGPL compliance notes in BINARYBEACHIO.md at repo root.
This commit is contained in:
binarybeach 2026-04-29 16:50:40 -10:00
parent cf696d200d
commit 2a78f0e0ce
3 changed files with 291 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

200
apps/api/plane/authentication/provider/oauth/github.py
View file

@ -1,14 +1,41 @@
# Copyright (c) 2023-present Plane Software, Inc. and contributors
# SPDX-License-Identifier: AGPL-3.0-only
# See the LICENSE file for details.
#
# binarybeachio fork — see BINARYBEACHIO.md at repo root.
# This file is patched to repurpose Plane's "GitHub" OAuth provider as a
# generic OIDC provider, so we can point /auth/github/ at our self-hosted
# Zitadel instance without paying for Plane Pro/Business edition's first-party
# OIDC support.
#
# Touch points kept stable to minimize merge conflicts on Plane upgrades:
# - class name `GitHubOAuthProvider` (callers import it by name)
# - `provider = "github"` (DB rows keyed on this string)
# - env var names `GITHUB_CLIENT_ID` / `GITHUB_CLIENT_SECRET`
# - URL routes `/auth/github/...` (frontend hardcodes these)
#
# What changed:
# - `auth_url` / `token_url` / `userinfo_url` are now read from env, default
# to the Zitadel instance at $ZITADEL_DOMAIN. If `ZITADEL_DOMAIN` is unset
# the original GitHub URLs apply, so vanilla GitHub OAuth still works as a
# fallback (lets us re-test against upstream behavior without reverting).
# - Scope flipped from "read:user user:email" to "openid email profile" when
# pointed at Zitadel (or any OIDC IdP).
# - `__get_email` removed — standard OIDC userinfo includes `email` directly.
# - User claim mapping switched to OIDC standard: sub, name, given_name,
# family_name, email, picture.
# - Fixed upstream bug where `expires_in` (a duration in seconds) was being
# passed to datetime.fromtimestamp() (which expects an epoch timestamp).
# - Dropped `is_user_in_organization` — Zitadel handles authorization itself
# via project grants/roles. The `GITHUB_ORGANIZATION_ID` env stays read
# (no-op) to avoid breaking deployments that have it set.
# Python imports
import os
from datetime import datetime
from datetime import timedelta
from urllib.parse import urlencode
import pytz
import requests
from django.utils import timezone
from plane.authentication.adapter.error import (
AUTHENTICATION_ERROR_CODES,
@ -20,15 +47,30 @@ from plane.authentication.adapter.oauth import OauthAdapter
from plane.license.utils.instance_value import get_configuration_value
def _zitadel_default(path: str) -> str | None:
"""Build a Zitadel endpoint URL from $ZITADEL_DOMAIN if set."""
domain = os.environ.get("ZITADEL_DOMAIN")
return f"https://{domain}{path}" if domain else None
class GitHubOAuthProvider(OauthAdapter):
token_url = "https://github.com/login/oauth/access_token"
userinfo_url = "https://api.github.com/user"
org_membership_url = "https://api.github.com/orgs"
# Endpoint URLs — env-driven. Defaults derived from $ZITADEL_DOMAIN if set,
# falling back to GitHub.com to preserve upstream behavior when unset.
token_url = os.environ.get("OIDC_TOKEN_URL") or (
_zitadel_default("/oauth/v2/token") or "https://github.com/login/oauth/access_token"
)
userinfo_url = os.environ.get("OIDC_USERINFO_URL") or (
_zitadel_default("/oidc/v1/userinfo") or "https://api.github.com/user"
)
_auth_url_base = os.environ.get("OIDC_AUTH_URL") or (
_zitadel_default("/oauth/v2/authorize") or "https://github.com/login/oauth/authorize"
)
provider = "github"
scope = "read:user user:email"
organization_scope = "read:org"
# Scopes — OIDC standard when ZITADEL_DOMAIN is set; GitHub-flavored otherwise
# to match unpatched upstream behavior for fallback testing.
scope = "openid email profile" if os.environ.get("ZITADEL_DOMAIN") else "read:user user:email"
def __init__(self, request, code=None, state=None, callback=None):
GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GITHUB_ORGANIZATION_ID = get_configuration_value([
@ -54,11 +96,13 @@ class GitHubOAuthProvider(OauthAdapter):
client_id = GITHUB_CLIENT_ID
client_secret = GITHUB_CLIENT_SECRET
# Read but unused — kept for API compatibility with deployments that
# had this set under upstream Plane. Authorization in our setup is
# handled by Zitadel project grants, not client-side org membership.
self.organization_id = GITHUB_ORGANIZATION_ID
if self.organization_id:
self.scope += f" {self.organization_scope}"
# Build redirect_uri — must match what's registered with the IdP.
# Plane's frontend hardcodes /auth/github/callback/ so we keep that path.
redirect_uri = f"""{"https" if request.is_secure() else "http"}://{request.get_host()}/auth/github/callback/"""
url_params = {
"client_id": client_id,
@ -66,7 +110,10 @@ class GitHubOAuthProvider(OauthAdapter):
"scope": self.scope,
"state": state,
}
auth_url = f"https://github.com/login/oauth/authorize?{urlencode(url_params)}"
# OIDC requires response_type=code; GitHub OAuth tolerates it.
if os.environ.get("ZITADEL_DOMAIN"):
url_params["response_type"] = "code"
auth_url = f"{self._auth_url_base}?{urlencode(url_params)}"
super().__init__(
request,
self.provider,
@ -83,93 +130,84 @@ class GitHubOAuthProvider(OauthAdapter):
def set_token_data(self):
data = {
"grant_type": "authorization_code",
"client_id": self.client_id,
"client_secret": self.client_secret,
"code": self.code,
"redirect_uri": self.redirect_uri,
}
token_response = self.get_user_token(data=data, headers={"Accept": "application/json"})
# Fix upstream bug: `expires_in` is a duration (seconds) per RFC 6749,
# not an epoch timestamp. Compute absolute expiry correctly.
expires_in = token_response.get("expires_in")
access_token_expired_at = (
timezone.now() + timedelta(seconds=int(expires_in)) if expires_in else None
)
# `refresh_token_expired_at` is non-standard; some IdPs return it as
# absolute, some as duration. Zitadel doesn't return it at all. Keep the
# original interpretation as-epoch for backward-compat with upstream.
refresh_expired_raw = token_response.get("refresh_token_expired_at")
if refresh_expired_raw:
from datetime import datetime
import pytz
refresh_token_expired_at = datetime.fromtimestamp(refresh_expired_raw, tz=pytz.utc)
else:
refresh_token_expired_at = None
super().set_token_data({
"access_token": token_response.get("access_token"),
"refresh_token": token_response.get("refresh_token", None),
"access_token_expired_at": (
datetime.fromtimestamp(token_response.get("expires_in"), tz=pytz.utc)
if token_response.get("expires_in")
else None
),
"refresh_token_expired_at": (
datetime.fromtimestamp(token_response.get("refresh_token_expired_at"), tz=pytz.utc)
if token_response.get("refresh_token_expired_at")
else None
),
"access_token_expired_at": access_token_expired_at,
"refresh_token_expired_at": refresh_token_expired_at,
"id_token": token_response.get("id_token", ""),
})
def __get_email(self, headers):
try:
# Github does not provide email in user response
emails_url = "https://api.github.com/user/emails"
emails_response = requests.get(emails_url, headers=headers).json()
# Ensure the response is a list before iterating
if not isinstance(emails_response, list):
self.logger.error("Unexpected response format from GitHub emails API")
raise AuthenticationException(
error_code=AUTHENTICATION_ERROR_CODES["GITHUB_OAUTH_PROVIDER_ERROR"],
error_message="GITHUB_OAUTH_PROVIDER_ERROR",
)
email = next((email["email"] for email in emails_response if email["primary"]), None)
if not email:
self.logger.error("No primary email found for user")
raise AuthenticationException(
error_code=AUTHENTICATION_ERROR_CODES["GITHUB_OAUTH_PROVIDER_ERROR"],
error_message="GITHUB_OAUTH_PROVIDER_ERROR",
)
return email
except requests.RequestException:
self.logger.warning(
"Error getting email from GitHub",
)
raise AuthenticationException(
error_code=AUTHENTICATION_ERROR_CODES["GITHUB_OAUTH_PROVIDER_ERROR"],
error_message="GITHUB_OAUTH_PROVIDER_ERROR",
)
def is_user_in_organization(self, github_username):
headers = {"Authorization": f"Bearer {self.token_data.get('access_token')}"}
response = requests.get(
f"{self.org_membership_url}/{self.organization_id}/memberships/{github_username}",
headers=headers,
)
return response.status_code == 200 # 200 means the user is a member
def set_user_data(self):
user_info_response = self.get_user_response()
# Claim mapping. When ZITADEL_DOMAIN is set, use OIDC standard claims;
# otherwise fall back to GitHub's quirky shape (no email in userinfo,
# `name` instead of `given_name`/`family_name`).
if os.environ.get("ZITADEL_DOMAIN"):
email = user_info_response.get("email")
if not email:
raise AuthenticationException(
error_code=AUTHENTICATION_ERROR_CODES["GITHUB_OAUTH_PROVIDER_ERROR"],
error_message="GITHUB_OAUTH_PROVIDER_ERROR",
)
super().set_user_data({
"email": email,
"user": {
"provider_id": user_info_response.get("sub"),
"email": email,
"avatar": user_info_response.get("picture"),
"first_name": user_info_response.get("given_name") or user_info_response.get("name", "").split(" ", 1)[0],
"last_name": user_info_response.get("family_name") or (user_info_response.get("name", "").split(" ", 1)[1] if " " in user_info_response.get("name", "") else ""),
"is_password_autoset": True,
},
})
return
# Fallback: vanilla GitHub OAuth — keep upstream behavior. Email comes
# from a separate /user/emails call.
import requests
headers = {
"Authorization": f"Bearer {self.token_data.get('access_token')}",
"Accept": "application/json",
}
if self.organization_id:
if not self.is_user_in_organization(user_info_response.get("login")):
self.logger.warning(
"User is not in organization",
extra={
"organization_id": self.organization_id,
"user_login": user_info_response.get("login"),
},
)
raise AuthenticationException(
error_code=AUTHENTICATION_ERROR_CODES["GITHUB_USER_NOT_IN_ORG"],
error_message="GITHUB_USER_NOT_IN_ORG",
)
email = self.__get_email(headers=headers)
self.logger.debug(
"Email found",
extra={
"email": email,
},
)
emails_response = requests.get("https://api.github.com/user/emails", headers=headers).json()
if not isinstance(emails_response, list):
raise AuthenticationException(
error_code=AUTHENTICATION_ERROR_CODES["GITHUB_OAUTH_PROVIDER_ERROR"],
error_message="GITHUB_OAUTH_PROVIDER_ERROR",
)
email = next((e["email"] for e in emails_response if e["primary"]), None)
if not email:
raise AuthenticationException(
error_code=AUTHENTICATION_ERROR_CODES["GITHUB_OAUTH_PROVIDER_ERROR"],
error_message="GITHUB_OAUTH_PROVIDER_ERROR",
)
super().set_user_data({
"email": email,
"user": {