synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-12 00:14:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: update the GitHub Auth section (#17769)

Browse Source 
Addresses https://github.com/coder/coder/issues/17752


[preview](https://coder.com/docs/@hugodutka%2Fgithub%2Dauth%2Dorg%2Ddocs/admin/users/github-auth)

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
This commit is contained in:
Hugo Dutka
2025-05-29 17:38:45 +02:00
committed by GitHub
parent 177bda3187
commit 345001ffd1
1 changed files with 73 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
docs/admin/users/github-auth.md
View File

@ -1,80 +1,91 @@
# GitHub # GitHub
By default, new Coder deployments use a Coder-managed GitHub app to authenticate
users.
We provide it for convenience, allowing you to experiment with Coder
without setting up your own GitHub OAuth app.
If you authenticate with it, you grant Coder server read access to your GitHub
user email and other metadata listed during the authentication flow.
This access is necessary for the Coder server to complete the authentication
process.
To the best of our knowledge, Coder, the company, does not gain access
to this data by administering the GitHub app.
## Default Configuration ## Default Configuration
By default, new Coder deployments use a Coder-managed GitHub app to authenticate
users. We provide it for convenience, allowing you to experiment with Coder
without setting up your own GitHub OAuth app. Once you authenticate with it, you
grant Coder server read access to:
- Your GitHub user email
- Your GitHub organization membership
- Other metadata listed during the authentication flow
This access is necessary for the Coder server to complete the authentication
process. To the best of our knowledge, Coder, the company, does not gain access
to this data by administering the GitHub app.
> [!IMPORTANT] > [!IMPORTANT]
> The default GitHub app requires [device flow](#device-flow) to authenticate. > Installation of the default GitHub app grants Coder (the company) access to your organization's GitHub data.
> This is enabled by default when using the default GitHub app. If you disable >
> device flow using `CODER_OAUTH2_GITHUB_DEVICE_FLOW=false`, it will be ignored. > For production environments, we strongly recommend that you
> [configure your own GitHub OAuth app](#step-1-configure-the-oauth-application-in-github)
> to ensure that your data is not shared with Coder (the company).
By default, only the admin user can sign up. To allow additional users to sign To use the default configuration:
up with GitHub, add the following environment variable:
```env 1. [Install the GitHub app](https://github.com/apps/coder/installations/select_target)
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true in any GitHub organization that you want to use with Coder.
```
To limit sign ups to members of specific GitHub organizations, set: The default GitHub app requires [device flow](#device-flow) to authenticate.
This is enabled by default when using the default GitHub app.
If you disable device flow using `CODER_OAUTH2_GITHUB_DEVICE_FLOW=false`, it will be ignored.
```env 1. By default, only the admin user can sign up.
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org" To allow additional users to sign up with GitHub, add:
```
For production deployments, we recommend configuring your own GitHub OAuth app ```shell
as outlined below. The default is automatically disabled if you configure your CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
own app or set: ```
```env 1. (Optional) If you want to limit sign-ups to specific GitHub organizations, set:
```shell
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
```
## Disable the Default GitHub App
You can disable the default GitHub app by [configuring your own app](#step-1-configure-the-oauth-application-in-github)
or by adding the following environment variable to your [Coder server configuration](../../reference/cli/server.md#options):
```shell
CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE=false CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE=false
``` ```
> [!NOTE] > [!NOTE]
> After you disable the default GitHub provider with the setting above, the > After you disable the default GitHub provider, the **Sign in with GitHub** button
> **Sign in with GitHub** button might still appear on your login page even though > might still appear on your login page even though the authentication flow is disabled.
> the authentication flow is disabled.
> >
> To completely hide the GitHub sign-in button, you must both disable the default > To completely hide the GitHub sign-in button, you must disable the default provider
> provider and ensure you don't have a custom GitHub OAuth app configured. > and ensure you don't have a custom GitHub OAuth app configured.
## Step 1: Configure the OAuth application in GitHub ## Step 1: Configure the OAuth application in GitHub
First, 1. [Register a GitHub OAuth app](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/).
[register a GitHub OAuth app](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/).
GitHub will ask you for the following Coder parameters:
- **Homepage URL**: Set to your Coder deployments 1. GitHub will ask you for the following Coder parameters:
[`CODER_ACCESS_URL`](../../reference/cli/server.md#--access-url) (e.g.
`https://coder.domain.com`)
- **User Authorization Callback URL**: Set to `https://coder.domain.com`
If you want to allow multiple Coder deployments hosted on subdomains, such as - **Homepage URL**: Set to your Coder deployment's
`coder1.domain.com`, `coder2.domain.com`, to authenticate with the [`CODER_ACCESS_URL`](../../reference/cli/server.md#--access-url) (e.g.
same GitHub OAuth app, then you can set **User Authorization Callback URL** to `https://coder.domain.com`)
the `https://domain.com` - **User Authorization Callback URL**: Set to `https://coder.domain.com`
Take note of the Client ID and Client Secret generated by GitHub. You will use these If you want to allow multiple Coder deployments hosted on subdomains, such as
values in the next step. `coder1.domain.com`, `coder2.domain.com`, to authenticate with the
same GitHub OAuth app, then you can set **User Authorization Callback URL** to
the `https://domain.com`
Coder will need permission to access user email addresses. Find the "Account 1. Take note of the Client ID and Client Secret generated by GitHub.
Permissions" settings for your app and select "read-only" for "Email addresses". You will use these values in the next step.
1. Coder needs permission to access user email addresses.
Find the **Account Permissions** settings for your app and select **read-only** for **Email addresses**.
## Step 2: Configure Coder with the OAuth credentials ## Step 2: Configure Coder with the OAuth credentials
Navigate to your Coder host and run the following command to start up the Coder Go to your Coder host and run the following command to start up the Coder server:
server:
```shell ```shell
coder server --oauth2-github-allow-signups=true --oauth2-github-allowed-orgs="your-org" --oauth2-github-client-id="8d1...e05" --oauth2-github-client-secret="57ebc9...02c24c" coder server --oauth2-github-allow-signups=true --oauth2-github-allowed-orgs="your-org" --oauth2-github-client-id="8d1...e05" --oauth2-github-client-secret="57ebc9...02c24c"
@ -87,7 +98,7 @@ Alternatively, if you are running Coder as a system service, you can achieve the
same result as the command above by adding the following environment variables same result as the command above by adding the following environment variables
to the `/etc/coder.d/coder.env` file: to the `/etc/coder.d/coder.env` file:
```env ```shell
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org" CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
CODER_OAUTH2_GITHUB_CLIENT_ID="8d1...e05" CODER_OAUTH2_GITHUB_CLIENT_ID="8d1...e05"
@ -97,7 +108,7 @@ CODER_OAUTH2_GITHUB_CLIENT_SECRET="57ebc9...02c24c"
> [!TIP] > [!TIP]
> To allow everyone to sign up using GitHub, set: > To allow everyone to sign up using GitHub, set:
> >
> ```env > ```shell
> CODER_OAUTH2_GITHUB_ALLOW_EVERYONE=true > CODER_OAUTH2_GITHUB_ALLOW_EVERYONE=true
> ``` > ```
@ -129,23 +140,24 @@ To upgrade Coder, run:
helm upgrade <release-name> coder-v2/coder -n <namespace> -f values.yaml helm upgrade <release-name> coder-v2/coder -n <namespace> -f values.yaml
``` ```
We recommend requiring and auditing MFA usage for all users in your GitHub We recommend requiring and auditing MFA usage for all users in your GitHub organizations.
organizations. This can be enforced from the organization settings page in the This can be enforced from the organization settings page in the **Authentication security** sidebar tab.
"Authentication security" sidebar tab.
## Device Flow ## Device Flow
Coder supports Coder supports
[device flow](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow) [device flow](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow)
for GitHub OAuth. This is enabled by default for the default GitHub app and cannot be disabled for GitHub OAuth.
for that app. For your own custom GitHub OAuth app, you can enable device flow by setting: This is enabled by default for the default GitHub app and cannot be disabled for that app.
```env For your own custom GitHub OAuth app, you can enable device flow by setting:
```shell
CODER_OAUTH2_GITHUB_DEVICE_FLOW=true CODER_OAUTH2_GITHUB_DEVICE_FLOW=true
``` ```
Device flow is optional for custom GitHub OAuth apps. We generally recommend using Device flow is optional for custom GitHub OAuth apps.
the standard OAuth flow instead, as it is more convenient for end users. We generally recommend using the standard OAuth flow instead, as it is more convenient for end users.
> [!NOTE] > [!NOTE]
> If you're using the default GitHub app, device flow is always enabled regardless of > If you're using the default GitHub app, device flow is always enabled regardless of