Unable To Link Enterprise Github With Apicurio

[Surbhi27946]

Hi,
I followed : https://www.apicur.io/studio/docs/setting-up-keycloak-for-use-with-apicurio in order to have our Github as an identity provider with APicurio running locally in our system.

We can see the login option with github is there :

But on clicking the Github login option, We are getting redirected here :

Can you please help on what might have gone wrong?

[Surbhi27946]

This is the oauth application that I registered in our github :

[Surbhi27946]

Also, this github is internal of our organisation : https://gecgithub01.walmart.com/
But on logging in, I am getting directed to my personal github page.

[EricWittmann]

The screenshot for the OAuth application didn't come through. I can't tell from the 404 github page what might be wrong. However, Keycloak has some additional documentation on this here:

https://www.keycloak.org/docs/latest/server_admin/index.html#github

Have a look at that and see if it helps. Without more information (e.g. screenshots of the actual configuration params in Keycloak and Github) I can't be of more help. :(

[Surbhi27946]

Sorry for that.
Here is the screenshot for the application that we created in our gecgithub :

And the keycloak configuration for the identity provider is:

Is it possible that it is happening because I am configuring github as identity provider on keycloak, whereas the client and the secrets belong to the oauth application created on gecgithub which is internal to Walmart?

[EricWittmann]

Ah ha! I didn't put that together initially. You are trying to integrate with an instance of GitHub Enterprise, not with github.com. I thought you were referring to a private organization on github.com. My mistake.

So yeah - you will need some different configuration. Instead of configuring a github.com identity provider in Keycloak, you will need to configure a OpenID Connect v1.0 identity provider instead. The good news is that I'm confident this is possible to do without much trouble. The bad news is that I don't have this specific use-case documented, because I don't have access to a GitHub Enterprise installation that I can use to test and verify the configuration steps.

We do have documentation on how to configure a local GitLab server, which is exactly what you want to do but with GitHub Enterprise instead of GitLab CE. Here is the GitLab article for reference:

https://www.apicur.io/studio/docs/using-a-local-installation-of-gitlab

You could try to adapt the information in that article for your situation.

To make this even more complicated (I hope I'm not scaring you away), there is an issue with using the Keycloak OpenID Connect identity provider type with GitHub Enterprise. The problem is discussed here: #831

We have a solution to that problem in the form of a custom Keycloak extension that provides a configurable version of the standard GitHub Keycloak social connector. You can find that extension (with Readme documentation) here:

https://github.com/Apicurio/apicurio-keycloak-extensions

Ignore the GitLab section of the readme and focus on the GitHub section. 👍

[Surbhi27946]

@EricWittmann
I went through the documentation you provided : https://www.apicur.io/studio/docs/using-a-local-installation-of-gitlab

Sorry but I have few basic questions :

1. I am using the quickstart to set up the Apicurio locally in my system.
   So where exactly these environment need to be set ?
   APICURIO_GITLAB_API_URL="https://gitlab.example.com"
   export APICURIO_GITLAB_API_URL
2. What exactly is the environment variable that I should set - APICURIO_GITHUB_API_URL ?

[EricWittmann]

For GitHub there are two environment variables you must set (or you can use system properties). These are:

https://github.com/Apicurio/apicurio-studio/blob/master/back-end/hub-core/src/main/java/io/apicurio/hub/core/config/HubConfiguration.java#L46-L50

You can either use the environment variable approach or the system property approach. If using env vars, something like this:

export APICURIO_GITHUB_URL=https://mygithub.example.com
export APICURIO_GITHUB_API_URL=https://api.mygithub.example.com
$STUDIO_HOME/bin/standalone.sh -b 0.0.0.0 -c standalone-apicurio.xml

If you want to use system properties you can either add them to the right place in the standalone-apicurio.xml file found in the quickstart (in standalone/configuration) or you can add them to the command line:

$STUDIO_HOME/bin/standalone.sh \
    -Dapicurio.hub.github.url=https://mygithub.example.com \
    -Dapicurio.hub.github.api=https://api.mygithub.example.com \
    -b 0.0.0.0 -c standalone-apicurio.xml

[EricWittmann]

I realize you're just trying to get this working (step 1) but I wanted to mention that it's not recommended to use the Quickstart in production. That's intended to be an evaluation deployment (get started fast). If your plan is to run something in production, I would strongly suggest doing so using the docker images (either via docker compose, kubernetes, or OpenShift).

[Surbhi27946]

Okay. Thanks a lot @EricWittmann
Will try this up.

[Surbhi27946]

@EricWittmann
I tried the steps you suggested. I even cloned and build the https://github.com/Apicurio/apicurio-keycloak-extensions and then put the jar in the keycloak standalone/deployments directory as given in the Readme.

And then i am using this command to start my local keycloak instance :
./bin/standalone.sh -Dapicurio.hub.github.baseUrl=https://gecgithub01.walmart.com -Dapicurio.hub.github.apiUrl=https://gecgithub01.walmart.com/api/v3

But still the GitHub Enterprise is not getting listed in the Identity providers dropdown.

[Surbhi27946]

Do I need to take some other action as well?

[EricWittmann]

What version of Keycloak are you using? I'll try to reproduce.

[EricWittmann]

Note: it's possible that you don't have GitHub in that list because you already have a GitHub social connector created. Maybe try deleting that one and seeing if the dropdown changes? I think this because I don't see either "GitHub" entry in the list. And they both have the same built-in value for "provider id" of github.

[Surbhi27946]

@EricWittmann
Indeed the issue got resolved after deleting the github identity provider.
Now I can see the Github enterprise entry in the drop down.
Thanks a lot for you your help and support.

[EricWittmann]

OK great! It sounds like you have things going OK. I'm going to close this for now but please feel free to re-open it if you need additional support.

Also if you get everything working the way you want, please consider contributing documentation for how to configure Studio with GitHub Enterprise. It would be very appreciated! :)

[Surbhi27946]

Surely I would be glad to contribute in the documentation for github enterprise as we have things working as expected.
Let me know the space where can I start documenting or the procedure for it.
Thanks

[EricWittmann]

That would be amazing, thanks! The Studio documentation is located here:

https://github.com/Apicurio/apicurio.github.io/tree/master/_pages/studio/docs

I would suggest making a copy of using-a-local-installation-of-gitlab.md and using it as a template for a GitHub specific version of it. :)

[Surbhi27946]

@EricWittmann
I have created the documentation.
Let me know how can I push it into the source code or how can i raise the PR for it.
Thanks

[EricWittmann]

That's great! If you wanted to fork that repository and then submit a PR that would be great. If you want to attach the file to this issue or email it to me, that's fine too (my email address is in my GitHub profile).

[Surbhi27946]

Hi @EricWittmann
Raised the PR Apicurio/apicurio.github.io#11
Thanks

[EricWittmann]

Fantastic, thanks so much!