By default, new Coder deployments use a Coder-managed GitHub app to authenticate

users. We provide it for convenience, allowing you to experiment with Coder

without setting up your own GitHub OAuth app. Onceyouauthenticatewithit, you

users.

We provide it for convenience, allowingyouto experimentwithCoder

- Your GitHub user email

- Your GitHub organization membership

- Other metadata listed during the authentication flow

If you authenticate with it, you grant Coder server read access to your GitHub

user email and other metadata listed during the authentication flow.

This access is necessary for the Coder server to complete the authentication

process. To the best of our knowledge, Coder, the company, does not gain access

process.

To the best of our knowledge, Coder, the company, does not gain access

to this data by administering the GitHub app.

By default, only the admin user can sign up. To allow additional users to sign

up with GitHub, add the following environment variable:

To use the default configuration:

1.[Install the GitHub app](https://github.com/apps/coder/installations/select_target)

in any GitHub organization that you want to use with Coder.

To limit sign ups to members of specific GitHub organizations, set:

The default GitHub app requires[device flow](#device-flow) to authenticate.

This is enabled by default when using the default GitHub app.

If you disable device flow using`CODER_OAUTH2_GITHUB_DEVICE_FLOW=false`, it will be ignored.

1. By default, only the admin user can sign up.

To allow additional users to sign up with GitHub, add:

CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true

For production deployments, we recommend configuring your own GitHub OAuth app

as outlined below. The default is automatically disabled if you configure your

own app or set:

1. (Optional) If you want to limit sign-ups to specific GitHub organizations, set:

CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"

You can disable the default GitHub app by[configuring your own app](#step-1-configure-the-oauth-application-in-github)

or by adding the following environment variable to your[Coder server configuration](../../reference/cli/server.md#options):

CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE=false

GitHub will ask you for the following Coder parameters:

1.GitHub will ask you for the following Coder parameters:

-**Homepage URL**: Set to your Coderdeployments

[`CODER_ACCESS_URL`](../../reference/cli/server.md#--access-url) (e.g.

`https://coder.domain.com`)

-**User Authorization Callback URL**: Set to`https://coder.domain.com`

-**Homepage URL**: Set to your Coderdeployment's

[`CODER_ACCESS_URL`](../../reference/cli/server.md#--access-url) (e.g.

`https://coder.domain.com`)

-**User Authorization Callback URL**: Set to`https://coder.domain.com`

If you want to allow multiple Coder deployments hosted on subdomains, such as

`coder1.domain.com`,`coder2.domain.com`, to authenticate with the

same GitHub OAuth app, then you can set**User Authorization Callback URL** to

the`https://domain.com`

If you want to allow multiple Coder deployments hosted on subdomains, such as

`coder1.domain.com`,`coder2.domain.com`, to authenticate with the

same GitHub OAuth app, then you can set**User Authorization Callback URL** to

the`https://domain.com`

Take note of the Client ID and Client Secret generated by GitHub. You will use these

values in the next step.

1.Take note of the Client ID and Client Secret generated by GitHub.

You will use thesevalues in the next step.

Coder will need permission to access user email addresses. Find the "Account

Permissions" settings for your app and select "read-only" for "Email addresses".

1. Coder needs permission to access user email addresses.

Find the**Account Permissions** settings for your app and select**read-only** for**Email addresses**.

Navigate to your Coder host and run the following command to start up the Coder

server:

Go to your Coder host and run the following command to start up the Coder server:

coder server --oauth2-github-allow-signups=true --oauth2-github-allowed-orgs="your-org" --oauth2-github-client-id="8d1...e05" --oauth2-github-client-secret="57ebc9...02c24c"

same result as the command above by adding the following environment variables

to the`/etc/coder.d/coder.env` file:

CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS=true

CODER_OAUTH2_GITHUB_ALLOWED_ORGS="your-org"

CODER_OAUTH2_GITHUB_CLIENT_ID="8d1...e05"

helm upgrade<release-name> coder-v2/coder -n<namespace> -f values.yaml

We recommend requiring and auditing MFA usage for all users in your GitHub

organizations. This can be enforced from the organization settings page in the

"Authentication security" sidebar tab.

We recommend requiring and auditing MFA usage for all users in your GitHub organizations.

This can be enforced from the organization settings page in the**Authentication security** sidebar tab.

Coder supports

[device flow](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow)

for GitHub OAuth. This is enabled by default for the default GitHub app and cannot be disabled

for that app. For your own customGitHubOAuthapp, you can enable device flow by setting:

for GitHub OAuth.

This is enabled by default for the defaultGitHub app and cannot be disabled for that app.

For your own custom GitHub OAuth app, you can enable device flow by setting:

CODER_OAUTH2_GITHUB_DEVICE_FLOW=true

Device flow is optional for custom GitHub OAuth apps. We generally recommend using

the standard OAuth flow instead, as it is more convenient for end users.

Device flow is optional for custom GitHub OAuth apps.

We generally recommend usingthe standard OAuth flow instead, as it is more convenient for end users.