Merge pull request #10410 from xinhai-ai/dev

fix: GitHub OAuth email retrieval when public email is not set
2025-02-22 13:18:25 +00:00 · 2025-02-19 23:16:46 -08:00 · 2025-02-19 23:16:46 -08:00 · 0e20b15afe
commit 0e20b15afe
parent e1cc104805 de8492de34
1 changed files with 29 additions and 3 deletions
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -246,11 +246,37 @@ class OAuthManager:
            raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
        provider_sub = f"{provider}@{sub}"
        email_claim = auth_manager_config.OAUTH_EMAIL_CLAIM
-        email = user_data.get(email_claim, "").lower()
+        email = user_data.get(email_claim, "")
        # We currently mandate that email addresses are provided
        if not email:
-            log.warning(f"OAuth callback failed, email is missing: {user_data}")
-            raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
+            # If the provider is GitHub,and public email is not provided, we can use the access token to fetch the user's email
+            if provider == "github":
+                try:
+                    access_token = token.get("access_token")
+                    headers = {
+                        "Authorization": f"Bearer {access_token}"
+                    }
+                    async with aiohttp.ClientSession() as session:
+                        async with session.get("https://api.github.com/user/emails", headers=headers) as resp:
+                            if resp.ok:
+                                emails = await resp.json()
+                                # use the primary email as the user's email
+                                primary_email = next((e["email"] for e in emails if e.get("primary")), None)
+                                if primary_email:
+                                    email = primary_email
+                                else:
+                                    log.warning("No primary email found in GitHub response")
+                                    raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
+                            else:
+                                log.warning("Failed to fetch GitHub email")
+                                raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
+                except Exception as e:
+                    log.warning(f"Error fetching GitHub email: {e}")
+                    raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
+            else:
+                log.warning(f"OAuth callback failed, email is missing: {user_data}")
+                raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
+        email = email.lower()
        if (
            "*" not in auth_manager_config.OAUTH_ALLOWED_DOMAINS
            and email.split("@")[-1] not in auth_manager_config.OAUTH_ALLOWED_DOMAINS