[Bug] authURL is empty when using GitHub as an OIDC server

[maxpain]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Headscale redirects to empty authURL

2024-10-03T11:08:53Z DBG Redirecting to ?client_id=123&domain_hint=...

Expected Behavior

Headscale should redirect to "https://github.com/login/oauth/authorize"

Steps To Reproduce

1. Create an OAuth app in GitHub developer settings
2. Set up Headscale to use GitHub as an OIDC server:

oidc:
  only_start_if_oidc_is_available: true
  issuer: "https://token.actions.githubusercontent.com"
  client_id: "123"
  client_secret: "123"

3. Try to login

Environment

- OS: Ubuntu 24.04
- Headscale version: 0.23.0

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

No response

[maxpain]

It seems https://token.actions.githubusercontent.com/.well-known/openid-configuration doesn't contain authorization_endpoint field

[kradalby]

I am not sure why they do not provide authorization_endpoint, but I thought that was a part of the OIDC standard requirements (feel free to correct). Some searching dont seem to make me any cleverer.

We do not support non-compliant providers, so if that is the case for Github, I suppose we do not support it.

If someone have more insights on their requirements/quirks, that would be helpful

[oneingan]

Using Jenkins OIDC provider here, this is the openid-cofniguration:

{
  "issuer": "https://jenkins.example.com/oidc",
  "jwks_uri": "https://jenkins.example.com/oidc/jwks",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "authorization_endpoint": "https://unimplemented",
  "token_endpoint": "https://unimplemented"
}

Im using this provider with AWS, step-ca and grafana without issues