Github: Groups not getting loaded when no org is specified in config

[mrIncompetent]

Dex is not fetching the groups when no org is specified in the config.
The groups scope is specified &scope=openid%20email%20profile%20groups

According to the Github Oauth Application in my private profile dex has the permission to read them.
Am i missing something here?

Version: 2.7.1

[devonbarrett]

Groups are only returned for orgs specified in the connector config.

Dex queries the following organizations for group information if the
"groups" scope is provided. Group claims are formatted as "(org):(team)".
For example if a user is part of the "engineering" team of the "coreos"
org, the group claim would include "coreos:engineering".

https://github.com/coreos/dex/blob/master/Documentation/github-connector.md#configuration

[mrIncompetent]

I was confused by the following code:

// groupsRequired returns whether dex requires GitHub's 'read:org' scope. Dex
// needs 'read:org' if 'orgs' or 'org' fields are populated in a config file.
// Clients can require 'groups' scope without setting 'orgs'/'org'.
func (c *githubConnector) groupsRequired(groupScope bool) bool {
	return len(c.orgs) > 0 || c.org != "" || groupScope
}

[ericchiang]

Dex is not fetching the groups when no org is specified in the config.The groups scope is specified &scope=openid%20email%20profile%20groups

can you paste an example config (without your tokens)?

[mrIncompetent]

issuer: https://***/dex
oauth2:
  skipApprovalScreen: true
  responseTypes:
  - code
  - token
  - id_token
storage:
  type: kubernetes
  config:
    inCluster: true
web:
  http: 0.0.0.0:5556
connectors:
- config:
  clientID: ***
  clientSecret: ***
  issuer: https://accounts.google.com
  redirectURI: https://***/dex/callback
  id: google
  name: Google
  type: oidc
- config:
  clientID: ***
  clientSecret: ***
  redirectURI: https://***/dex/callback
  id: github
  name: GitHub
  type: github
staticClients:
- RedirectURIs:
  - https://***
  - http://localhost:8000
  id: myclient
  name: myclient
  secret: ***

[2color]

I have the same problem with version 2.7.1 with both the org set and unset.

[tectonic-identity-124214214-ntpj5] time="2017-12-12T10:29:39Z" level=info msg="login successful: connector "github", username="Daniel Norman", email="daniel@OBSCURED", groups=[]"

[jwntrs]

I just submitted a PR for this #1184.

We're currently returning groups in the form:

[
    "org-1:team-1",
    "org-1:team-2",
    "org-1:team-3",
    "org-2:team-4",
    "org-3"
]

However I'm wondering if this is a better format:

[
    "org-1",
    "org-1:team-1",
    "org-1:team-2",
    "org-1:team-3",
    "org-2",
    "org-2:team-4",
    "org-3"
]

It seems like the second format would make it easier to match groups at the org level, even if teams exist. Thoughts?