website/integrations: add github org checking policy example

closes #2047 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-03 22:00:00 +01:00 · 2022-01-03 22:00:00 +01:00 · 01fcbb325b
parent 7d3d17acb9
commit 01fcbb325b
3 changed files with 49 additions and 1 deletions
--- a/web/src/pages/sources/oauth/OAuthSourceForm.ts
+++ b/web/src/pages/sources/oauth/OAuthSourceForm.ts
@ -254,7 +254,10 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
                    >
                        <textarea class="pf-c-form-control"></textarea>
                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${t`Additional Scope`} name="additionalScopes">
+                    <ak-form-element-horizontal
+                        label=${t`Additional Scope`}
+                        name="additionalScopes"
+                    >
                        <input
                            type="text"
                            value="${first(this.instance?.additionalScopes, "")}"
--- a/website/integrations/sources/github/github_org_membership.png
+++ b/website/integrations/sources/github/github_org_membership.png
--- a/website/integrations/sources/github/index.md
+++ b/website/integrations/sources/github/index.md
@ -48,3 +48,48 @@ Save, and you now have Github as a source.
 :::note
 For more details on how-to have the new source display on the Login Page see [here](../).
 :::
+
+### Checking for membership of a GitHub Organisation
+
+:::info
+Requires authentik 2021.12.5.
+:::
+
+To check if the user is member of an organisation, you can use the following policy on your flows:
+
+```python
+accepted_org = "foo"
+
+# Get the user-source connection object from the context, and get the access token
+connection = context['goauthentik.io/sources/connection']
+access_token = connection.access_token
+
+# We also access the user info authentik already retrieved, to get the correct username
+github_username = context["oauth_userinfo"]
+
+# Github does not include Organisations in the userinfo endpoint, so we have to call another URL
+
+orgs = requests.get(
+    "https://api.github.com/user/orgs",
+    auth=(github_username["login"], access_token),
+    headers={
+        "accept": "application/vnd.github.v3+json"
+    }
+).json()
+
+# `orgs` will be formatted like this
+# [
+#     {
+#         "login": "beryjuorg",
+#         [...]
+#     }
+# ]
+user_matched = any(org['login'] == accepted_org for org in orgs)
+if not user_matched:
+    ak_message(f"User is not member of {accepted_org}.")
+return user_matched
+```
+
+If a user is not member of the chosen organisation, they will see this message
+
+![](./github_org_membership.png)