shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-03 13:08:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
114ba4593b2a82dfd41cdcb7fd6eb70d866e7b86
coder/docs/admin/users/github-auth.md
T
Edward Angert f475555d06 docs: document that default GitHub app requires device flow (#17162) 
## Issue

Closes #16824

Document that the default GitHub authentication app provided by Coder
requires device flow, and that this behavior cannot be overridden.

## Changes Made

Claude updated the GitHub authentication documentation to:

1. Add a prominent warning in the Default Configuration section
explaining that the default GitHub app requires device flow and ignores
the `CODER_OAUTH2_GITHUB_DEVICE_FLOW` setting
2. Clarify the Device Flow section to indicate that:
   - Device flow is always enabled for the default GitHub app
   - Device flow is optional for custom GitHub OAuth apps
- The `CODER_OAUTH2_GITHUB_DEVICE_FLOW` setting is ignored when using
the default app


[preview](https://coder.com/docs/@16824-github-device-flow/admin/users/github-auth)

<sub>🤖 Generated with [Claude Code](https://claude.ai/code)</sub>

---------

Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: M Atif Ali <atif@coder.com>
2025-04-05 21:44:13 -04:00

145 lines
4.9 KiB
Markdown
Raw Blame History

# GitHub
## Default Configuration
By default, new Coder deployments use a Coder-managed GitHub app to authenticate
users. We provide it for convenience, allowing you to experiment with Coder
without setting up your own GitHub OAuth app. Once you authenticate with it, you
grant Coder server read access to:
- Your GitHub user email
- Your GitHub organization membership
- Other metadata listed during the authentication flow
This access is necessary for the Coder server to complete the authentication
process. To the best of our knowledge, Coder, the company, does not gain access
to this data by administering the GitHub app.
> [!IMPORTANT]
> The default GitHub app requires [device flow](#device-flow) to authenticate.
> This is enabled by default when using the default GitHub app. If you disable
> device flow using `CODER_OAUTH2_GITHUB_DEVICE_FLOW=false`, it will be ignored.
By default, only the admin user can sign up. To allow additional users to sign
up with GitHub, add the following environment variable:
```env
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
```
To limit sign ups to members of specific GitHub organizations, set:
```env
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
```
For production deployments, we recommend configuring your own GitHub OAuth app
as outlined below. The default is automatically disabled if you configure your
own app or set:
```env
CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE=false
```
## Step 1: Configure the OAuth application in GitHub
First,
[register a GitHub OAuth app](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/).
GitHub will ask you for the following Coder parameters:
- **Homepage URL**: Set to your Coder deployments
[`CODER_ACCESS_URL`](../../reference/cli/server.md#--access-url) (e.g.
`https://coder.domain.com`)
- **User Authorization Callback URL**: Set to `https://coder.domain.com`
If you want to allow multiple Coder deployments hosted on subdomains, such as
`coder1.domain.com`, `coder2.domain.com`, to authenticate with the
same GitHub OAuth app, then you can set **User Authorization Callback URL** to
the `https://domain.com`
Take note of the Client ID and Client Secret generated by GitHub. You will use these
values in the next step.
Coder will need permission to access user email addresses. Find the "Account
Permissions" settings for your app and select "read-only" for "Email addresses".
## Step 2: Configure Coder with the OAuth credentials
Navigate to your Coder host and run the following command to start up the Coder
server:
```shell
coder server --oauth2-github-allow-signups=true --oauth2-github-allowed-orgs="your-org" --oauth2-github-client-id="8d1...e05" --oauth2-github-client-secret="57ebc9...02c24c"
```
> [!NOTE]
> For GitHub Enterprise support, specify the `--oauth2-github-enterprise-base-url` flag.
Alternatively, if you are running Coder as a system service, you can achieve the
same result as the command above by adding the following environment variables
to the `/etc/coder.d/coder.env` file:
```env
CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true
CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"
CODER_OAUTH2_GITHUB_CLIENT_ID="8d1...e05"
CODER_OAUTH2_GITHUB_CLIENT_SECRET="57ebc9...02c24c"
```
> [!TIP]
> To allow everyone to sign up using GitHub, set:
>
> ```env
> CODER_OAUTH2_GITHUB_ALLOW_EVERYONE=true
> ```
Once complete, run `sudo service coder restart` to reboot Coder.
If deploying Coder via Helm, you can set the above environment variables in the
`values.yaml` file as such:
```yaml
coder:
env:
- name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS
value: "true"
- name: CODER_OAUTH2_GITHUB_CLIENT_ID
value: "533...des"
- name: CODER_OAUTH2_GITHUB_CLIENT_SECRET
value: "G0CSP...7qSM"
# If setting allowed orgs, comment out CODER_OAUTH2_GITHUB_ALLOW_EVERYONE and its value
- name: CODER_OAUTH2_GITHUB_ALLOWED_ORGS
value: "your-org"
# If allowing everyone, comment out CODER_OAUTH2_GITHUB_ALLOWED_ORGS and it's value
#- name: CODER_OAUTH2_GITHUB_ALLOW_EVERYONE
# value: "true"
```
To upgrade Coder, run:
```shell
helm upgrade <release-name> coder-v2/coder -n <namespace> -f values.yaml
```
We recommend requiring and auditing MFA usage for all users in your GitHub
organizations. This can be enforced from the organization settings page in the
"Authentication security" sidebar tab.
## Device Flow
Coder supports
[device flow](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow)
for GitHub OAuth. This is enabled by default for the default GitHub app and cannot be disabled
for that app. For your own custom GitHub OAuth app, you can enable device flow by setting:
```env
CODER_OAUTH2_GITHUB_DEVICE_FLOW=true
```
Device flow is optional for custom GitHub OAuth apps. We generally recommend using
the standard OAuth flow instead, as it is more convenient for end users.
> [!NOTE]
> If you're using the default GitHub app, device flow is always enabled regardless of
> the `CODER_OAUTH2_GITHUB_DEVICE_FLOW` setting.
Reference in New Issue View Git Blame Copy Permalink