GitHub
Config Options
Flag | Toml Field | Type | Description | Default |
---|---|---|---|---|
--github-org | github_org | string | restrict logins to members of this organisation | |
--github-team | github_team | string | restrict logins to members of any of these teams (slug) or (org:team), comma separated | |
--github-repo | github_repo | string | restrict logins to collaborators of this repository formatted as orgname/repo | |
--github-token | github_token | string | the token to use when verifying repository collaborators (must have push access to the repository) | |
--github-user | github_users | string | list | To allow users to login by username even if they do not belong to the specified org and team or collaborators |
Usage
- Create a new project: https://github.com/settings/developers
- Under
Authorization callback URL
enter the correct url iehttps://internal.yourcompany.com/oauth2/callback
The GitHub auth provider supports two additional ways to restrict authentication to either organization and optional
team level access, or to collaborators of a repository. Restricting by these options is normally accompanied with --email-domain=*
. Additionally, all the organizations and teams a user belongs to are set as part of the X-Forwarded-Groups
header. e.g. org1:team1,org1:team2,org2:team1
NOTE: When --github-user
is set, the specified users are allowed to log in even if they do not belong to the specified
org and team or collaborators.
To restrict access to your organization:
# restrict logins to members of this organisation
--github-org="your-org"
To restrict access to specific teams within an organization:
--github-org="your-org"
# restrict logins to members of any of these teams (slug), comma separated
--github-team="team1,team2,team3"
To restrict to teams within different organizations, keep the organization flag empty and use --github-team
like so:
# keep empty
--github-org=""
# restrict logins to members to any of the following teams (format <org>:<slug>, like octo:team1), comma separated
--github-team="org1:team1,org2:team1,org3:team42,octo:cat"
If you would rather restrict access to collaborators of a repository, those users must either have push access to a public repository or any access to a private repository:
# restrict logins to collaborators of this repository formatted as orgname/repo
--github-repo=""
If you'd like to allow access to users with read only access to a public repository you will need to provide a
token for a user that has write access to the repository. The token must be
created with at least the public_repo
scope:
# the token to use when verifying repository collaborators
--github-token=""
To allow a user to log in with their username even if they do not belong to the specified org and team or collaborators:
# allow logins by username, comma separated
--github-user=""
If you are using GitHub enterprise, make sure you set the following to the appropriate url:
--login-url="http(s)://<enterprise github host>/login/oauth/authorize"
--redeem-url="http(s)://<enterprise github host>/login/oauth/access_token"
--validate-url="http(s)://<enterprise github host>/api/v3"