Issue #1102 - Add config to explicitly enable loading all github groups

Documentation/connectors/github.md

@@ -45,8 +45,8 @@ connectors:
     # If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
     # authenticate with dex.
     #
-    # If neither 'org' nor 'orgs' are specified in the config then user authenticate with ALL user's Github groups.
+    # If neither 'org' nor 'orgs' are specified in the config and 'loadAllGroups' setting set to true then user
-    # Typical use case for this setup:
+    # authenticate with ALL user's Github groups. Typical use case for this setup:
     # provide read-only access to everyone and give full permissions if user has 'my-organization:admins-team' group claim.  
     orgs:
     - name: my-organization
@@ -56,6 +56,8 @@ connectors:
       teams:
       - red-team
       - blue-team
+    # Flag which indicates that all user groups and teams should be loaded.
+    loadAllGroups: false
 
     # Optional choice between 'name' (default) or 'slug'.
     #

connector/github/github.go

@@ -48,6 +48,7 @@ type Config struct {
 	HostName      string `json:"hostName"`
 	RootCA        string `json:"rootCA"`
 	TeamNameField string `json:"teamNameField"`
+	LoadAllGroups bool   `json:"loadAllGroups"`
 }
 
 // Org holds org-team filters, in which teams are optional.
@@ -107,6 +108,7 @@ func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector
 		}
 
 	}
+	g.loadAllGroups = c.LoadAllGroups
 
 	switch c.TeamNameField {
 	case "name", "slug", "":
@@ -142,8 +144,11 @@ type githubConnector struct {
 	// Used to support untrusted/self-signed CA certs.
 	rootCA string
 	// HTTP Client that trusts the custom delcared rootCA cert.
-	httpClient    *http.Client
+	httpClient *http.Client
+	// optional choice between 'name' (default) or 'slug'
 	teamNameField string
+	// if set to true and no orgs are configured then connector loads all user claims (all orgs and team)
+	loadAllGroups bool
 }
 
 // groupsRequired returns whether dex requires GitHub's 'read:org' scope. Dex
@@ -325,7 +330,7 @@ func (c *githubConnector) getGroups(ctx context.Context, client *http.Client, gr
 		return c.groupsForOrgs(ctx, client, userLogin)
 	} else if c.org != "" {
 		return c.teamsForOrg(ctx, client, c.org)
-	} else if groupScope {
+	} else if groupScope && c.loadAllGroups {
 		return c.userGroups(ctx, client)
 	}
 	return nil, nil

connector/github/github_test.go

@@ -115,6 +115,9 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 			"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
 			"expires_in":   "30",
 		}},
+		"/user/orgs": {
+			data: []org{{Login: "org-1"}},
+		},
 	})
 	defer s.Close()
 
@@ -125,10 +128,18 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 	expectNil(t, err)
 
 	c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
-	identity, err := c.HandleCallback(connector.Scopes{}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
 
 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some-login")
+	expectEquals(t, 0, len(identity.Groups))
+
+	c = githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient(), loadAllGroups: true}
+	identity, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
+
+	expectNil(t, err)
+	expectEquals(t, identity.Username, "some-login")
+	expectEquals(t, identity.Groups, []string{"org-1"})
 
 }