GitHub Authentication
Default Configuration
By default, new Coder deployments use a Coder-managed GitHub app to authenticate users. We provide it for convenience, allowing you to experiment with Coder without setting up your own GitHub OAuth app. Once you authenticate with it, you grant Coder server read access to:
- Your GitHub user email
- Your GitHub organization membership
- Other metadata listed during the authentication flow
This access is necessary for the Coder server to complete the authentication process. To the best of our knowledge, Coder, the company, does not gain access to this data by administering the GitHub app.
By default, only the admin user can sign up. To allow additional users to sign up with GitHub, add the following environment variable:
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
To limit sign ups to members of specific GitHub organizations, set:
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
For production deployments, we recommend configuring your own GitHub OAuth app as outlined below. The default is automatically disabled if you configure your own app or set:
CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE=false
Step 1: Configure the OAuth application in GitHub
First, register a GitHub OAuth app. GitHub will ask you for the following Coder parameters:
- Homepage URL: Set to your Coder deployments
CODER_ACCESS_URL
(e.g.https://coder.domain.com
) - User Authorization Callback URL: Set to
https://coder.domain.com
If you want to allow multiple Coder deployments hosted on subdomains, such as
coder1.domain.com
, coder2.domain.com
, to authenticate with the
same GitHub OAuth app, then you can set User Authorization Callback URL to
the https://domain.com
Take note of the Client ID and Client Secret generated by GitHub. You will use these values in the next step.
Coder will need permission to access user email addresses. Find the "Account Permissions" settings for your app and select "read-only" for "Email addresses".
Step 2: Configure Coder with the OAuth credentials
Navigate to your Coder host and run the following command to start up the Coder server:
coder server --oauth2-github-allow-signups=true --oauth2-github-allowed-orgs="your-org" --oauth2-github-client-id="8d1...e05" --oauth2-github-client-secret="57ebc9...02c24c"
Note
For GitHub Enterprise support, specify the --oauth2-github-enterprise-base-url
flag.
Alternatively, if you are running Coder as a system service, you can achieve the
same result as the command above by adding the following environment variables
to the /etc/coder.d/coder.env
file:
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
CODER_OAUTH2_GITHUB_CLIENT_ID="8d1...e05"
CODER_OAUTH2_GITHUB_CLIENT_SECRET="57ebc9...02c24c"
Tip
To allow everyone to sign up using GitHub, set:
CODER_OAUTH2_GITHUB_ALLOW_EVERYONE=true
Once complete, run sudo service coder restart
to reboot Coder.
If deploying Coder via Helm, you can set the above environment variables in the
values.yaml
file as such:
coder:
env:
- name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS
value: "true"
- name: CODER_OAUTH2_GITHUB_CLIENT_ID
value: "533...des"
- name: CODER_OAUTH2_GITHUB_CLIENT_SECRET
value: "G0CSP...7qSM"
# If setting allowed orgs, comment out CODER_OAUTH2_GITHUB_ALLOW_EVERYONE and its value
- name: CODER_OAUTH2_GITHUB_ALLOWED_ORGS
value: "your-org"
# If allowing everyone, comment out CODER_OAUTH2_GITHUB_ALLOWED_ORGS and it's value
#- name: CODER_OAUTH2_GITHUB_ALLOW_EVERYONE
# value: "true"
To upgrade Coder, run:
helm upgrade <release-name> coder-v2/coder -n <namespace> -f values.yaml
We recommend requiring and auditing MFA usage for all users in your GitHub organizations. This can be enforced from the organization settings page in the "Authentication security" sidebar tab.
Device Flow
Coder supports device flow for GitHub OAuth. To enable it, set:
CODER_OAUTH2_GITHUB_DEVICE_FLOW=true
This is optional. We recommend using the standard OAuth flow instead, as it is more convenient for end users.