Movatterモバイル変換

[0]ホーム
URL:

AI-native Development

Coder powers secure, scalable development across key industries — automotive, finance, government, and technology — enabling faster builds, tighter compliance, and seamless AI adoption in enterprise-grade cloud environments.

HomeAdministrationUsersGitHub Authentication

GitHub Authentication

By default, new Coder deployments use a Coder-managed GitHub app to authenticateusers.We provide it for convenience, allowing you to experiment with Coderwithout setting up your own GitHub OAuth app.

If you authenticate with it, you grant Coder server read access to your GitHubuser email and other metadata listed during the authentication flow.

This access is necessary for the Coder server to complete the authenticationprocess.To the best of our knowledge, Coder, the company, does not gain accessto this data by administering the GitHub app.

Default Configuration

Important

Installation of the default GitHub app grants Coder (the company) access to your organization's GitHub data.

For production environments, we strongly recommend that youconfigure your own GitHub OAuth appto ensure that your data is not shared with Coder (the company).

To use the default configuration:

  1. Install the GitHub appin any GitHub organization that you want to use with Coder.

    The default GitHub app requiresdevice flow to authenticate.This is enabled by default when using the default GitHub app.If you disable device flow usingCODER_OAUTH2_GITHUB_DEVICE_FLOW=false, it will be ignored.

  2. By default, only the admin user can sign up.To allow additional users to sign up with GitHub, add:

    CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true

  3. (Optional) If you want to limit sign-ups to specific GitHub organizations, set:

    CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"

Disable the Default GitHub App

You can disable the default GitHub app byconfiguring your own appor by adding the following environment variable to yourCoder server configuration:

CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE=false

Note

After you disable the default GitHub provider, theSign in with GitHub buttonmight still appear on your login page even though the authentication flow is disabled.

To completely hide the GitHub sign-in button, you must disable the default providerand ensure you don't have a custom GitHub OAuth app configured.

Step 1: Configure the OAuth application in GitHub

  1. Register a GitHub OAuth app.

  2. GitHub will ask you for the following Coder parameters:

    • Homepage URL: Set to your Coder deployment'sCODER_ACCESS_URL (e.g.https://coder.domain.com)

    • User Authorization Callback URL: Set tohttps://coder.domain.com

      If you want to allow multiple Coder deployments hosted on subdomains, such ascoder1.domain.com,coder2.domain.com, to authenticate with thesame GitHub OAuth app, then you can setUser Authorization Callback URL tothehttps://domain.com

  3. Take note of the Client ID and Client Secret generated by GitHub.You will use these values in the next step.

  4. Coder needs permission to access user email addresses.

    Find theAccount Permissions settings for your app and selectread-only forEmail addresses.

Step 2: Configure Coder with the OAuth credentials

Go to your Coder host and run the following command to start up the Coder server:

coder server --oauth2-github-allow-signups=true --oauth2-github-allowed-orgs="your-org" --oauth2-github-client-id="8d1...e05" --oauth2-github-client-secret="57ebc9...02c24c"

Note

For GitHub Enterprise support, specify the--oauth2-github-enterprise-base-url flag.

Alternatively, if you are running Coder as a system service, you can achieve thesame result as the command above by adding the following environment variablesto the/etc/coder.d/coder.env file:

CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=trueCODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"CODER_OAUTH2_GITHUB_CLIENT_ID="8d1...e05"CODER_OAUTH2_GITHUB_CLIENT_SECRET="57ebc9...02c24c"

Tip

To allow everyone to sign up using GitHub, set:

CODER_OAUTH2_GITHUB_ALLOW_EVERYONE=true

Once complete, runsudo service coder restart to reboot Coder.

If deploying Coder via Helm, you can set the above environment variables in thevalues.yaml file as such:

coder: env: - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS value: "true" - name: CODER_OAUTH2_GITHUB_CLIENT_ID value: "533...des" - name: CODER_OAUTH2_GITHUB_CLIENT_SECRET value: "G0CSP...7qSM" # If setting allowed orgs, comment out CODER_OAUTH2_GITHUB_ALLOW_EVERYONE and its value - name: CODER_OAUTH2_GITHUB_ALLOWED_ORGS value: "your-org" # If allowing everyone, comment out CODER_OAUTH2_GITHUB_ALLOWED_ORGS and it's value #- name: CODER_OAUTH2_GITHUB_ALLOW_EVERYONE # value: "true"

To upgrade Coder, run:

helm upgrade <release-name> coder-v2/coder -n <namespace> -f values.yaml

We recommend requiring and auditing MFA usage for all users in your GitHub organizations.This can be enforced from the organization settings page in theAuthentication security sidebar tab.

Device Flow

Coder supportsdevice flowfor GitHub OAuth.This is enabled by default for the default GitHub app and cannot be disabled for that app.

For your own custom GitHub OAuth app, you can enable device flow by setting:

CODER_OAUTH2_GITHUB_DEVICE_FLOW=true

Device flow is optional for custom GitHub OAuth apps.We generally recommend using the standard OAuth flow instead, as it is more convenient for end users.

Note

If you're using the default GitHub app, device flow is always enabled regardless oftheCODER_OAUTH2_GITHUB_DEVICE_FLOW setting.

On this page
[8]ページ先頭
©2009-2025 Movatter.jp