Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If USER_SYNC_ATTRIBUTE=email why is OKTA_USERNAME_ATTRIBUTE required/used? #157

Open
seanorama opened this issue Mar 29, 2023 · 2 comments
Open

If USER_SYNC_ATTRIBUTE=email why is OKTA_USERNAME_ATTRIBUTE required/used? #157

seanorama opened this issue Mar 29, 2023 · 2 comments
Assignees
@primetheus
Labels
❓ question Further information is requested

Comments

@seanorama
Copy link
Contributor

In the Okta provider the sample .env states:

## The attribute which corresponds to the GitHub Username
## NOTE: This cannot be an email address
OKTA_USERNAME_ATTRIBUTE=github_username

If the user can be determined by email lookup from git, earlier in the .env:

## Attribute to compare users with
## username or email
USER_SYNC_ATTRIBUTE=email

Why is the git username needed, when you have the email and ability to look up the username from that?
@seanorama seanorama changed the title If user can be looked up in github by email address, why does a username attribute need to be provided? If USER_SYNC_ATTRIBUTE=email why is OKTA_USERNAME_ATTRIBUTE required/used? Mar 29, 2023
@primetheus
Copy link
Collaborator

@seanorama the OKTA_USERNAME_ATTRIBUTE is different than the USER_SYNC_ATTRIBUTE. The USER_SYNC_ATTRIBUTE is used to compare the groups. If we pull users from GitHub teams, then pull users from LDAP, Okta, etc... we compare the groups based on the GitHub attribute of either username or email. In the case of the OKTA_USERNAME_ATTRIBUTE, this is a field name in Okta that is used to authenticate the user against Okta. There's no real lookup happening.

It's been a while since I built this piece, and at the time there wasn't a GitHub integration native to Okta, so it was all a custom setup. Looking at Okta's guide, it looks like the default value is the Okta username, which may or may not map to the GitHub username.

@seanorama
Copy link
Contributor Author

seanorama commented Apr 10, 2023
edited
Loading

Our Okta usernames are email addresses which can never sync directly to a Github username. Instead we strip @.* to support emails.

What I wondered was slightly different:

  • Even if the usernames do not match between the systems, the email addresses typically do.
  • So use email address as the lookup for the github username.

Process:

  • get Okta email
  • find if there is a matching github user with that email address
  • if so, determine the github username based on the email address
  • use that to determine if a user should be synced

With the above, you don't need to manually define the matching usernames, only need the email address as a lookup.

Though we are on an Enterprise instance, this would also be useful on public github where usernames are typically personally chosen, not mapped to corporate emails.

@primetheus primetheus added the ❓ question Further information is requested label Sep 18, 2023
@primetheus primetheus self-assigned this Sep 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@primetheus primetheus

Labels
❓ question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@primetheus @seanorama