Red Hat SummitChapter 4. Authenticating with GitHub
To authenticate users with GitHub or GitHub Enterprise:
4.1. Enabling authentication with GitHub
To authenticate users with GitHub, enable the GitHub authentication provider in Red Hat Developer Hub.
Prerequisites
- You added a custom Developer Hub application configuration, and have sufficient permissions to modify it.
- You have sufficient permissions in GitHub to create and manage a GitHub App.
Procedure
To allow Developer Hub to authenticate with GitHub, create a GitHub App. Opt for a GitHub App instead of an OAuth app to use fine-grained permissions, gain more control over which repositories the application can access, and use short-lived tokens.
Register a GitHub App with the following configuration:
- GitHub App name: Enter a unique name identifying your GitHub App, such as <Red Hat Developer Hub>-<GUID>.
-
Homepage URL: Your Developer Hub URL:
https://<my_developer_hub_url>. -
Authorization callback URL: Your Developer Hub authentication backend URL:
https://<my_developer_hub_url>/api/auth/github/handler/frame. -
Webhook URL: Your Developer Hub URL:
https://<my_developer_hub_url>. - Webhook secret: Provide a strong secret.
Repository permissions:
Enable
Read-onlyaccess to:- Administration
- Commit statuses
- Contents
- Dependabot alerts
- Deployments
- Pull Requests
Webhooks
TipIf you plan to make changes using the GitHub API, ensure that
Read and writepermissions are enabled instead ofRead-only.
- Toggle other permissions as per your needs.
Organization permissions:
-
Enable
Read-onlyaccess to Members.
-
Enable
-
For Where can this GitHub App be installed?, select
Only on this account.
-
In the General
Clients secrets section, click Generate a new client secret. -
In the General
Private keys section, click Generate a private key. - In the Install App tab, choose an account to install your GitHub App on.
Save the following values for the next step:
- App ID
- Client ID
- Client secret
- Private key
- Webhook secret
To add your GitHub credentials to Developer Hub, add the following key/value pairs to your Developer Hub secrets:
AUTH_GITHUB_APP_ID- Enter the saved App ID.
AUTH_GITHUB_CLIENT_ID- Enter the saved Client ID.
GITHUB_ORGANIZATION- Enter your GitHub organization name, such as `<your_github_organization_name>'.
GITHUB_ORG_URL-
Enter
$GITHUB_HOST_DOMAIN/$GITHUB_ORGANIZATION. GITHUB_CLIENT_SECRET- Enter the saved Client Secret.
GITHUB_PRIVATE_KEY_FILE- Enter the saved Private key.
GITHUB_WEBHOOK_URL-
Enter your Developer Hub URL:
https://<my_developer_hub_url>. GITHUB_WEBHOOK_SECRET- Enter the saved Webhook secret.
. To set up the GitHub authentication provider and enable integration with the GitHub API in your Developer Hub custom configuration, edit your custom Developer Hub config map such as
my-rhdh-app-config, and add the following lines to theapp-config.yamlfile content:app-config.yamlfile fragment with mandatory fields to enable authentication with GitHubauth: environment: production1 providers: github: production: clientId: ${AUTH_GITHUB_CLIENT_ID}2 clientSecret: ${AUTH_GITHUB_CLIENT_SECRET} integrations: github: - host: ${GITHUB_HOST_DOMAIN} apps: - appId: ${AUTH_GITHUB_APP_ID} clientId: ${AUTH_GITHUB_CLIENT_ID} clientSecret: ${GITHUB_CLIENT_SECRET} webhookUrl: ${GITHUB_WEBHOOK_URL} webhookSecret: ${GITHUB_WEBHOOK_SECRET} privateKey: | ${GITHUB_PRIVATE_KEY_FILE} signInPage: github3 - 1
- Mark the environment as
productionand disable the Guest login option in the Developer Hub login page. - 2
- Apply the GitHub credentials configured in your Developer Hub secrets.
- 3
- To enable the GitHub provider as your Developer Hub sign-in provider.
Optional: Consider adding the following optional fields:
callbackUrlThe callback URL that GitHub uses when initiating an OAuth flow, such as: <your_intermediate_service_url/handler>. Define it when Developer Hub is not the immediate receiver, such as in cases when you use one OAuth app for many Developer Hub instances.
app-config.yamlfile fragment with optionalenterpriseInstanceUrlfieldauth: providers: github: production: callbackUrl: <your_intermediate_service_url/handler>
sessionDurationLifespan of the user session. Enter a duration in
mslibrary format (such as '24h', '2 days'), ISO duration, or "human duration" as used in code.app-config-rhdh.yamlfragment with optionalsessionDurationfieldauth: providers: github: production: sessionDuration: { hours: 24 }signInresolvers-
After successful authentication, the user signing in must be resolved to an existing user in the Developer Hub catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver:
usernameMatchingUserEntityName.
The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
WarningIn production mode, only configure one resolver to ensure users are securely matched.
resolverEnter the sign-in resolver name. Available resolvers:
-
usernameMatchingUserEntityName -
preferredUsernameMatchingUserEntityName -
emailMatchingUserEntityProfileEmail
-
dangerouslyAllowSignInWithoutUserInCatalog: trueConfigure the sign-in resolver to bypass the user provisioning requirement in the Developer Hub software catalog.
WarningUse
dangerouslyAllowSignInWithoutUserInCatalogto explore Developer Hub features, but do not use it in production.app-config.yamlfile fragment with optional field to allow signing in users absent from the software catalogauth: environment: production providers: github: production: clientId: ${AUTH_GITHUB_CLIENT_ID} clientSecret: ${AUTH_GITHUB_CLIENT_SECRET} signIn: resolvers: - resolver: usernameMatchingUserEntityName dangerouslyAllowSignInWithoutUserInCatalog: true integrations: github: - host: ${GITHUB_HOST_DOMAIN} apps: - appId: ${AUTH_GITHUB_APP_ID} clientId: ${AUTH_GITHUB_CLIENT_ID} clientSecret: ${GITHUB_CLIENT_SECRET} webhookUrl: ${GITHUB_WEBHOOK_URL} webhookSecret: ${GITHUB_WEBHOOK_SECRET} privateKey: | ${GITHUB_PRIVATE_KEY_FILE} signInPage: github
To enable GitHub integration with a different authentication provider, complete the following configurations:
-
Add the GitHub provider to the existing
authsection. -
Keep the
signInPagesection from your authentication provider configuration.
app-config.yaml file fragment with mandatory fields to enable GitHub integration and use a different authentication provider
auth:
environment: production
providers:
github:
production:
clientId: ${AUTH_GITHUB_CLIENT_ID}
clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
<your_other_authentication_providers_configuration>
integrations:
github:
- host: ${GITHUB_HOST_DOMAIN}
apps:
- appId: ${AUTH_GITHUB_APP_ID}
clientId: ${AUTH_GITHUB_CLIENT_ID}
clientSecret: ${GITHUB_CLIENT_SECRET}
webhookUrl: ${GITHUB_WEBHOOK_URL}
webhookSecret: ${GITHUB_WEBHOOK_SECRET}
privateKey: |
${GITHUB_PRIVATE_KEY_FILE}
signInPage: <your_main_authentication_provider>Verification
- Go to the Developer Hub login page.
- Your Developer Hub sign-in page displays Sign in using GitHub and the Guest user sign-in is disabled.
- Log in with GitHub.
4.2. Provisioning users from GitHub to the software catalog
To authenticate users, Red Hat Developer Hub requires their presence in the software catalog. Consider configuring Developer Hub to provision users from GitHub to the software catalog on schedule, rather than provisioning the users manually.
Prerequisites
You have enabled authentication with GitHub, including the following secrets:
-
GITHUB_HOST_DOMAIN -
GITHUB_ORGANIZATION
-
Procedure
To enable GitHub member discovery, edit your custom Developer Hub ConfigMap, such as
app-config-rhdh, and add the following lines to theapp-config.yamlcontent:app-config.yamlfragment with mandatorygithubfieldscatalog: providers: github: providerId: organization: "${GITHUB_ORGANIZATION}" schedule: frequency: minutes: 30 initialDelay: seconds: 15 timeout: minutes: 15 githubOrg: githubUrl: "${GITHUB_HOST_DOMAIN}" orgs: [ "${GITHUB_ORGANIZATION}" ] schedule: frequency: minutes: 30 initialDelay: seconds: 15 timeout: minutes: 15organization,githubUrl, andorgs- Use the Developer Hub application information that you have created in GitHub and configured in OpenShift as secrets.
schedule.frequency- To specify custom schedule frequency. Supports cron, ISO duration, and "human duration" as used in code.
schedule.timeout- To specify custom timeout. Supports ISO duration and "human duration" as used in code.
schedule.initialDelay- To specify custom initial delay. Supports ISO duration and "human duration" as used in code.
Verification
Check the console logs to verify that the synchronization is completed.
Successful synchronization example:
{"class":"GithubMultiOrgEntityProvider","level":"info","message":"Reading GitHub users and teams for org: rhdh-dast","plugin":"catalog","service":"backstage","target":"https://github.com","taskId":"GithubMultiOrgEntityProvider:production:refresh","taskInstanceId":"801b3c6c-167f-473b-b43e-e0b4b780c384","timestamp":"2024-09-09 23:55:58"} {"class":"GithubMultiOrgEntityProvider","level":"info","message":"Read 7 GitHub users and 2 GitHub groups in 0.4 seconds. Committing...","plugin":"catalog","service":"backstage","target":"https://github.com","taskId":"GithubMultiOrgEntityProvider:production:refresh","taskInstanceId":"801b3c6c-167f-473b-b43e-e0b4b780c384","timestamp":"2024-09-09 23:55:59"}- Log in with a GitHub account.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}