Unable to process callback from Github

[lordpengwin]

I'm trying to set up Teleport using the GitHub authentication mechanism and get an error on the callback. Everything seems to match the instructions but it fails on the call back with the message below.

What happened: Unable to process callback from Github

What you expected to happen: A successful login

How to reproduce it (as minimally and precisely as possible): Set up git hub as a authentication type and create the githup oath app and try to log in for the first time

Environment:

• Teleport version (use teleport version): Teleport v2.4.2 git:v2.4.2-0-g079d345
• Tsh version (use tsh version): Teleport v2.4.2 git:v2.4.2-0-g079d3452
• OS (e.g. from /etc/os-release):
  NAME="Amazon Linux AMI"
  VERSION="2015.03"
  ID="amzn"
  ID_LIKE="rhel fedora"
  VERSION_ID="2015.03"
  PRETTY_NAME="Amazon Linux AMI 2015.03"
  ANSI_COLOR="0;33"
  CPE_NAME="cpe:/o:amazon:linux:2015.03:ga"
  HOME_URL="http://aws.amazon.com/amazon-linux-ami/"

Browser environment
MacOS Chrome and Safari

• Browser Version (for UI-related issues): 64.0.3282.186
• Install tools:
• Others:

Relevant Debug Logs If Applicable

• tsh --debug
• teleport --debug
  This does not seem to be supported

[lordpengwin]

Here is my github configuration

# save this as github-connector.yaml:
kind: github
version: v3
metadata:
# name of the connector must match the authentication type
 in /etc/teleport.yaml
  name: github
spec:
  display: Github
  client_id: xxxxxxxxxxxxxxx           # from Teleport OAuth app on Github
  client_secret: xxxxxxxxxxxxx       # from Teleport OAuth app on Github
  redirect_url: https://xxxxx.xxx:3080/v1/webapi/github/callback

# This section says that anyone from 'teleport-ssh-users' team in
# 'octocats' organization can SSH as root
  teams_to_logins:
    - organization: xxxx
      team: xxxxx-teleport
      logins:
        - xxxx

[klizhentas]

can you post teleport logs when this happens? Usually the logs are there, can you also put teleport to debug loging mode in config or using -d flag?

[lordpengwin]

So it looks like the problem is that for some reason, the list of teams being returned by GitHub does not include the new team that I created. It seems that maybe there is some sort of limitation on the number returned?

[klizhentas]

We are using this method documented by github:

https://developer.github.com/v3/teams/#list-user-teams

I don't think we paginate the results so we just process the first page right now. I'm gonna file this as an issue.

[lordpengwin]

I've been experimenting and it looks like the limit might be 30 that is the number that is always returned even if i remove myself or delete some of the teams that come back in the list.

[klizhentas]

yes, this code should paginate but it does not:

https://github.com/gravitational/teleport/blob/master/lib/auth/github.go#L377

[avsm]

Just confirming that I also observe this pagination issue on the ocaml organisation as well. We have a lot of teams, and the results are being terminated in the GitHub callback so the teams_to_mappings is incomplete.