GitHub OAuth Identify Provider allow access to particular group

We’ve created a GitHub OAuth application and successfully wired it up to CF Access as an identity provider. It shows in the list of login methods for our application, however no matter how I configure the Organization name and teams list, I cannot get users within the specified teams to be allowed access via GitHub OAuth flow.

I’m curious if potentially I have misunderstood the capabilities of the GitHub identity provider or if there’s anything else going on. The team in question is the @WordPress/openverse-maintainers team. I’m unable to include links in my post so I can’t link to the GitHub page for the link, unfortunately.

I’ve tried the following team name configurations for the access policy, all with the org name set to WordPress:

  • openverse-maintainers
  • WordPress/openverse-maintainers
  • @WordPress/openverse-maintainers

I’ve also tried to use the openverse team as openverse-maintainers is a child team of that team and I was wondering if that was causing issues. I tried similar permuations to the list above however also to no avail.

The organization (WordPress) has also approved the Cloudflare Access OAuth application. The test link in the Cloudflare Access identity provider configuration dashboard also reports a successful test.

I’ve had a hard time finding any detailed information on how to correctly configure this for teams, so any guidance here would be much appreciated. Thanks!

Figured it out after contacting Cloudflare support. It turns out the issue was that you have to use the GitHub team’s display name, not the team slug. So for us the team’s display name was “Openverse Maintainers”. The following Terraform configuration worked for us:

    github {
      identity_provider_id = data.cloudflare_access_identity_provider.github_login.id
      name                 = "WordPress"
      teams                = ["Openverse Maintainers"]
    }

To test and see if the GitHub identity provider is correctly configured and which teams you get back exactly for a given user, you can test the idP by going to the Zero Trust dashboard and going to Settings (from the sidebar) > Authentication > Login methods section and opening the “Test” link in the GitHub provider row. This will take you to a separate page that shows you the JSON that Cloudflare is using to test the access policies.

Hope this helps anyone else stumped on this!