Add GitHub Enterprise support for Copilot authentication

ericdallo · eca-agent · ericdallo · commit bb7ac1c13810 · 2026-04-08T15:02:04.000-03:00
Replace hardcoded github.com OAuth URLs and client ID in the Copilot provider with config-driven values. OAuth device-flow endpoints are now derived from the provider's `auth.url` setting, defaulting to github.com when unset. A `auth.clientId` override is also supported for enterprise instances that use a different OAuth application. The `auth` object is added to the generic provider config schema so it can be reused by other providers in the future. Closes #402 🤖 Generated with [eca](https://eca.dev) Co-Authored-By: eca <git@eca.dev>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Fix `/resume` broken for OpenAI chats: handle nil reasoning text during replay, preserve prompt-id after chat replacement, and clear UI before replaying messages. #400
+- Add GitHub Enterprise support for Copilot authentication via `auth.url` and `auth.clientId` provider config. #402
 
 ## 0.124.2
 
diff --git a/docs/config.json b/docs/config.json
@@ -498,6 +498,26 @@
           "description": "Whether this provider requires authentication.",
           "markdownDescription": "Whether this provider requires authentication."
         },
+        "auth": {
+          "type": "object",
+          "description": "Authentication endpoint overrides for providers that use OAuth device flow. Used when the provider's identity server differs from the default (e.g. enterprise or self-hosted instances).",
+          "markdownDescription": "Authentication endpoint overrides for providers that use OAuth device flow. Used when the provider's identity server differs from the default (e.g. enterprise or self-hosted instances).",
+          "additionalProperties": false,
+          "properties": {
+            "url": {
+              "type": "string",
+              "description": "Base URL of the identity provider. OAuth device-flow endpoints are derived from this URL.",
+              "markdownDescription": "Base URL of the identity provider. OAuth device-flow endpoints are derived from this URL.",
+              "format": "uri",
+              "examples": ["https://github.mycompany.com"]
+            },
+            "clientId": {
+              "type": "string",
+              "description": "OAuth client ID to use for the device-flow. Defaults to the provider's public client ID when omitted.",
+              "markdownDescription": "OAuth client ID to use for the device-flow. Defaults to the provider's public client ID when omitted."
+            }
+          }
+        },
         "completionUrlRelativePath": {
           "type": "string",
           "description": "Custom relative URL path for completion requests.",
diff --git a/src/eca/llm_providers/copilot.clj b/src/eca/llm_providers/copilot.clj
@@ -9,37 +9,49 @@
    [eca.shared :refer [multi-str]]
    [hato.client :as http]))
 
-(def ^:private client-id "Iv1.b507a08c87ecfe98")
+(set! *warn-on-reflection* true)
+
+(def ^:private default-client-id "Iv1.b507a08c87ecfe98")
+
+(defn ^:private github-base-url [provider-settings]
+  (or (get-in provider-settings [:auth :url])
+      "https://github.com"))
+
+(defn ^:private github-api-base-url [provider-settings]
+  (let [base (github-base-url provider-settings)]
+    (if (= base "https://github.com")
+      "https://api.github.com"
+      (str base "/api/v3"))))
+
+(defn ^:private copilot-client-id [provider-settings]
+  (or (get-in provider-settings [:auth :clientId])
+      default-client-id))
 
 (defn ^:private auth-headers []
   {"Content-Type" "application/json"
    "Accept" "application/json"
    "editor-plugin-version" "eca/*"
    "editor-version" (str "eca/" (config/eca-version))})
 
-(def ^:private oauth-login-device-url
-  "https://github.com/login/device/code")
-
-(defn ^:private oauth-url []
-  (let [{:keys [body]} (http/post
-                        oauth-login-device-url
+(defn ^:private oauth-url [provider-settings]
+  (let [device-url (str (github-base-url provider-settings) "/login/device/code")
+        {:keys [body]} (http/post
+                        device-url
                         {:headers (auth-headers)
-                         :body (json/generate-string {:client_id client-id
+                         :body (json/generate-string {:client_id (copilot-client-id provider-settings)
                                                       :scope "read:user"})
                          :http-client (client/merge-with-global-http-client {})
                          :as :json})]
     {:user-code (:user_code body)
      :device-code (:device_code body)
      :url (:verification_uri body)}))
 
-(def ^:private oauth-login-access-token-url
-  "https://github.com/login/oauth/access_token")
-
-(defn ^:private oauth-access-token [device-code]
-  (let [{:keys [status body]} (http/post
-                               oauth-login-access-token-url
+(defn ^:private oauth-access-token [provider-settings device-code]
+  (let [access-token-url (str (github-base-url provider-settings) "/login/oauth/access_token")
+        {:keys [status body]} (http/post
+                               access-token-url
                                {:headers (auth-headers)
-                                :body (json/generate-string {:client_id client-id
+                                :body (json/generate-string {:client_id (copilot-client-id provider-settings)
                                                              :device_code device-code
                                                              :grant_type "urn:ietf:params:oauth:grant-type:device_code"})
                                 :throw-exceptions? false
@@ -51,12 +63,10 @@
                       {:status status
                        :body body})))))
 
-(def ^:private oauth-copilot-token-url
-  "https://api.github.com/copilot_internal/v2/token")
-
-(defn ^:private oauth-renew-token [access-token]
-  (let [{:keys [status body]} (http/get
-                               oauth-copilot-token-url
+(defn ^:private oauth-renew-token [provider-settings access-token]
+  (let [token-url (str (github-api-base-url provider-settings) "/copilot_internal/v2/token")
+        {:keys [status body]} (http/get
+                               token-url
                                {:headers (merge (auth-headers)
                                                 {"authorization" (str "token " access-token)})
                                 :throw-exceptions? false
@@ -71,8 +81,9 @@
 
 ;; --- Settings-based login (providers/login flow) ---
 
-(defmethod f.providers/start-login! ["github-copilot" "device"] [_ _ db* _config messenger metrics]
-  (let [{:keys [user-code device-code url]} (oauth-url)]
+(defmethod f.providers/start-login! ["github-copilot" "device"] [_ _ db* config messenger metrics]
+  (let [provider-settings (get-in config [:providers "github-copilot"])
+        {:keys [user-code device-code url]} (oauth-url provider-settings)]
     (swap! db* assoc-in [:auth "github-copilot"] {:step :login/waiting-user-confirmation
                                                    :device-code device-code})
     (future
@@ -82,8 +93,8 @@
                    (= :login/waiting-user-confirmation
                       (get-in @db* [:auth "github-copilot" :step])))
           (let [result (try
-                         (let [access-token (oauth-access-token device-code)
-                               {:keys [api-key expires-at]} (oauth-renew-token access-token)]
+                         (let [access-token (oauth-access-token provider-settings device-code)
+                               {:keys [api-key expires-at]} (oauth-renew-token provider-settings access-token)]
                            (swap! db* update-in [:auth "github-copilot"] merge
                                   {:step :login/done
                                    :access-token access-token
@@ -99,35 +110,40 @@
     {:action "device-code"
      :url url
      :code user-code
-     :message "Enter this code at the URL above. Make sure Copilot is enabled at https://github.com/settings/copilot/features"}))
+     :message (format "Enter this code at the URL above. Make sure Copilot is enabled at %s/settings/copilot/features"
+                      (github-base-url provider-settings))}))
 
 ;; --- Chat-based login (legacy /login command) ---
 
-(defmethod f.login/login-step ["github-copilot" :login/start] [{:keys [db* chat-id provider send-msg!]}]
-  (let [{:keys [user-code device-code url]} (oauth-url)]
+(defmethod f.login/login-step ["github-copilot" :login/start] [{:keys [db* chat-id provider config send-msg!]}]
+  (let [provider-settings (get-in config [:providers provider])
+        {:keys [user-code device-code url]} (oauth-url provider-settings)
+        github-url (github-base-url provider-settings)]
     (swap! db* assoc-in [:chats chat-id :login-provider] provider)
     (swap! db* assoc-in [:auth provider] {:step :login/waiting-user-confirmation
                                           :device-code device-code})
     (send-msg! (multi-str
-                "First, make sure you have Copilot enabled in you Github account: https://github.com/settings/copilot/features"
+                (format "First, make sure you have Copilot enabled in your Github account: %s/settings/copilot/features" github-url)
                 (format "Then, open your browser at:\n\n%s\n\nAuthenticate using the code: `%s`\nThen type anything in the chat and send it to continue the authentication."
                         url
                         user-code)))))
 
-(defmethod f.login/login-step ["github-copilot" :login/waiting-user-confirmation] [{:keys [db* provider send-msg!] :as ctx}]
-  (let [access-token (oauth-access-token (get-in @db* [:auth provider :device-code]))
-        {:keys [api-key expires-at]} (oauth-renew-token access-token)]
+(defmethod f.login/login-step ["github-copilot" :login/waiting-user-confirmation] [{:keys [db* provider config send-msg!] :as ctx}]
+  (let [provider-settings (get-in config [:providers provider])
+        access-token (oauth-access-token provider-settings (get-in @db* [:auth provider :device-code]))
+        {:keys [api-key expires-at]} (oauth-renew-token provider-settings access-token)]
     (swap! db* update-in [:auth provider] merge {:step :login/done
                                                  :access-token access-token
                                                  :api-key api-key
                                                  :expires-at expires-at})
-
     (f.login/login-done! ctx)
-    (send-msg! "\nMake sure to enable the model you want use at: https://github.com/settings/copilot/features")))
+    (send-msg! (format "\nMake sure to enable the model you want to use at: %s/settings/copilot/features"
+                       (github-base-url provider-settings)))))
 
-(defmethod f.login/login-step ["github-copilot" :login/renew-token] [{:keys [db* provider] :as ctx}]
-  (let [access-token (get-in @db* [:auth provider :access-token])
-        {:keys [api-key expires-at]} (oauth-renew-token access-token)]
+(defmethod f.login/login-step ["github-copilot" :login/renew-token] [{:keys [db* provider config] :as ctx}]
+  (let [provider-settings (get-in config [:providers provider])
+        access-token (get-in @db* [:auth provider :access-token])
+        {:keys [api-key expires-at]} (oauth-renew-token provider-settings access-token)]
     (swap! db* update-in [:auth provider] merge {:api-key api-key
                                                  :expires-at expires-at})
     (f.login/login-done! ctx :silent? true :skip-models-sync? true)))
diff --git a/test/eca/llm_providers/copilot_test.clj b/test/eca/llm_providers/copilot_test.clj
@@ -4,6 +4,29 @@
    [eca.client-test-helpers :refer [with-client-proxied]]
    [eca.llm-providers.copilot :as llm-providers.copilot]))
 
+(def ^:private test-provider-settings
+  "Provider settings using plain HTTP so requests route through the test proxy."
+  {:auth {:url "http://localhost:99"}})
+
+(deftest github-url-derivation-test
+  (testing "defaults to github.com when no auth config"
+    (is (= "https://github.com" (#'llm-providers.copilot/github-base-url {})))
+    (is (= "https://api.github.com" (#'llm-providers.copilot/github-api-base-url {})))
+    (is (= "Iv1.b507a08c87ecfe98" (#'llm-providers.copilot/copilot-client-id {}))))
+
+  (testing "uses custom GitHub Enterprise URL"
+    (let [settings {:auth {:url "https://ghe.example.com"}}]
+      (is (= "https://ghe.example.com" (#'llm-providers.copilot/github-base-url settings)))
+      (is (= "https://ghe.example.com/api/v3" (#'llm-providers.copilot/github-api-base-url settings)))))
+
+  (testing "uses custom client ID"
+    (let [settings {:auth {:clientId "custom-id"}}]
+      (is (= "custom-id" (#'llm-providers.copilot/copilot-client-id settings)))))
+
+  (testing "defaults client ID when only URL is overridden"
+    (let [settings {:auth {:url "https://ghe.example.com"}}]
+      (is (= "Iv1.b507a08c87ecfe98" (#'llm-providers.copilot/copilot-client-id settings))))))
+
 (deftest oauth-url-test
   (testing "constructs GitHub device OAuth request and parses key response fields"
     (let [req* (atom nil)]
@@ -16,17 +39,14 @@
                   :device_code      "DEVICE-CODE"
                   :verification_uri "https://github.com/login/device"}})
 
-        (let [result
-              (with-redefs [llm-providers.copilot/oauth-login-device-url
-                            "http://localhost:99/login/device/code"]
-                (#'llm-providers.copilot/oauth-url))]
+        (let [result (#'llm-providers.copilot/oauth-url test-provider-settings)]
 
           ;; request validation
           (is (= {:method "POST"
                   :uri    "/login/device/code"}
                  (select-keys @req* [:method :uri])))
 
-          (is (= {:client_id @#'llm-providers.copilot/client-id
+          (is (= {:client_id "Iv1.b507a08c87ecfe98"
                   :scope     "read:user"}
                  (:body @req*))
               "Outgoing payload should match device-code request")
@@ -48,17 +68,14 @@
            :body {:access_token "gh-access-token"}})
 
         (let [device-code "device-code-123"
-              result
-              (with-redefs [llm-providers.copilot/oauth-login-access-token-url
-                            "http://localhost:99/login/oauth/access_token"]
-                (#'llm-providers.copilot/oauth-access-token device-code))]
+              result (#'llm-providers.copilot/oauth-access-token test-provider-settings device-code)]
 
           ;; request validation
           (is (= {:method "POST"
                   :uri    "/login/oauth/access_token"}
                  (select-keys @req* [:method :uri])))
 
-          (is (= {:client_id   @#'llm-providers.copilot/client-id
+          (is (= {:client_id   "Iv1.b507a08c87ecfe98"
                   :device_code device-code
                   :grant_type  "urn:ietf:params:oauth:grant-type:device_code"}
                  (:body @req*))
@@ -79,14 +96,11 @@
                   :expires_at 9999999999}})
 
         (let [access-token "gh-access-123"
-              result
-              (with-redefs [llm-providers.copilot/oauth-copilot-token-url
-                            "http://localhost:99/copilot_internal/v2/token"]
-                (#'llm-providers.copilot/oauth-renew-token access-token))]
+              result (#'llm-providers.copilot/oauth-renew-token test-provider-settings access-token)]
 
-          ;; request validation
+          ;; request validation — uses /api/v3 prefix since test settings use a custom auth URL
           (is (= {:method "GET"
-                  :uri    "/copilot_internal/v2/token"}
+                  :uri    "/api/v3/copilot_internal/v2/token"}
                  (select-keys @req* [:method :uri])))
 
           (is (= {"authorization" (str "token " access-token)
