Add default GitHub API URLs to SSO connector

[tcsc]

tctl sso configure github was producing an untestable connector spec, or at least a spec that would always fail when tested with tctl sso test, due to missing GitHub endpoints in the generated spec.

This change adds the default GitHub endpoint URLs as default values for the endpoint flags in tctl sso configure github so that the produces spec is valis and testable.

Note: Our WebUI appears to magically add these values when saving
a connector, so this issue only really effects tctl sso test

Includes doc update to match new output.

Fixes: #31396
Changelog: tctl sso configure github now includes default Github endpoints

[tcsc]

Is anyone else curious why this always returns a constant? Is this because SSO for self-hosted github is an enterprise-only feature?

[Tener]

I've given the old code a cursory look before and from my understanding the validation is being too strict here; in particular, you can expect there to be some existing configs that are correct (using public GitHub, so these fields can be empty) but will now be rejected.

Sounds wrong, and I'd be curious to see where exactly the error is being thrown:

$ tctl sso configure github --id $(cat ./github.client-id) --secret $(cat ./github.secret) --teams-to-roles GGUXGXM3Q5QDN6CD,Admin,editor -r GGUXGXM3Q5QDN6CD,everyone,access | tctl sso test
INFO [CLIENT]    RedirectURL empty, resolving automatically.
INFO [CLIENT]    RedirectURL set to "https://sso.dev-trent.net:443/v1/webapi/github/callback"
ERROR: Failed to create auth request. Check the auth connector definition for errors. Error: rpc error: code = Unknown desc = url scheme is empty

[tcsc]

the validation is being too strict here

I don't think this is necessarily a validation problem, and I certainly didn't add any - I just changed the generated connector so that it works in the test.

Sounds wrong, and I'd be curious to see where exactly the error is being thrown

Given your comments that it sounded wrong, I dug a bit deeper. Turns out this is what happens when you use an Enterprise tctl to test the sso connector. Using an OSS tctl works as expected.

The error was coming from deep inside the auth server. I suspect that the connector was being treated as a private GitHub one so not using the global defaults I flagged in the code review above. This ends up with the auth server being given empty endpoint URLs and failing when trying to parse them.

All in all it's a bit confusing confusing as a user, as both flavours of tctl look largely identical to the outside world.

[Tener]

All in all it's a bit confusing confusing as a user, as both flavours of tctl look largely identical to the outside world.

Agreed. I think @capnspacehook may have the best idea of what needs fixing in this context.

[zmb3]

If it's a URL, should we use URLVar instead of StringVar?

[public-teleport-github-review-bot]

@tcsc See the table below for backport results.

Branch	Result
branch/v11	Failed
branch/v12	Failed
branch/v13	Create PR
branch/v14	Create PR