Fetches user data from GitHub API with caching.

Uses the provided cache to store results keyed by access token. The cache should be created with create-cache.

Note: Caching by access token means that if a user’s data changes on GitHub, the changes won’t be reflected until the cache expires. This is generally acceptable for the TTL values used (typically 5 minutes).

Creates a cache for GitHub user data with the specified TTL in milliseconds.

Uses an LRU cache with a maximum of 1000 entries and a TTL for each entry.

Fetches user data from GitHub API based on granted token scopes.

Returns a map with :profile (always fetched), :emails (if user or user:email scope), and :orgs (if read:org or admin:org scope) keys. Checks the X-OAuth-Scopes header from the initial profile request to determine which additional endpoints to call.

Fetches user email addresses from GitHub API.

Returns a vector of email maps, each containing :email, :verified, and :primary keys.

Fetches user organization memberships from GitHub API.

Returns a vector of organization maps, each containing :login and other org metadata.

Fetches user profile data from GitHub API.

Returns a map containing user information including login, name, email, avatar URL, etc. Optionally accepts an enterprise-url for GitHub Enterprise Server instances.

Filters OIDC claims based on requested scopes.

The profile scope includes: name, preferred_username, profile, picture The email scope includes: email, email_verified

GitHub-specific claims (github_*) are always included regardless of scope.

Transforms GitHub user data into standard OIDC claims.

Takes a map with :profile, :emails, and :orgs keys (as returned by fetch-all-user-data) and returns a map of OIDC standard claims.

Standard claims returned: - sub - GitHub user ID (as string) - preferred_username - GitHub login - name - User’s full name - email - Primary verified email address - email_verified - Always true if email is present - profile - GitHub profile URL - picture - Avatar URL

Custom GitHub claims: - github_login - GitHub username - github_orgs - Vector of organization logins - github_company - Company name from profile

Returns true if the scopes include access to user emails.

Email access is granted by either user (full user scope) or user:email (email-only scope).

Returns true if the scopes include access to user organizations.

Org access is granted by either read:org (read-only) or admin:org (full admin access).

Parses the X-OAuth-Scopes header into a set of scope strings.

GitHub returns granted scopes as a comma-separated string in the X-OAuth-Scopes response header. Returns nil if header is not present.

Extracts the primary verified email from a list of email maps.

Returns the email string if found, nil otherwise.

Checks if a user is a member of the specified GitHub organization.

Takes user data (as returned by fetch-all-user-data) and an organization login string. Returns true if the user is a member of that org, false otherwise.