GitHub sign-in

Optional GitHub OAuth sign-in for self-hosted Proliferate.

GitHub sign-in is optional. A base install needs no OAuth app at all: email and password is the default. Configure the two variables below and the desktop sign-in screen adds a GitHub button (the app learns about it from the GET /auth/desktop/methods probe).

Info:

This OAuth app is not the GitHub App used by cloud sandboxes. The OAuth app signs users in; the GitHub App gives sandboxes repository access. They are separate registrations with separate credentials.

Set up

Create a GitHub OAuth app

In your GitHub organization (or user account), open Settings, then Developer settings, then OAuth Apps, and register a new OAuth app:

  • Homepage URL: your site address, https://<site>
  • Authorization callback URL: exactly https://<site>/auth/desktop/github/callback

Screenshot: GitHub, Register a new OAuth application form

The new OAuth app form with the homepage URL and the /auth/desktop/github/callback authorization callback URL filled in.

Generate a client secret

On the new app's page, generate a client secret and copy it together with the client ID.

Screenshot: GitHub OAuth app page with client ID and a freshly generated client secret

The OAuth app settings page showing the client ID and the generate-a-new-client-secret section.

Configure the server

Set both values in .env.static in your deploy bundle:

# .env.static
GITHUB_OAUTH_CLIENT_ID=Ov23liabc123...
GITHUB_OAUTH_CLIENT_SECRET=...

Apply with ./update.sh (or restart the stack with your usual Compose commands).

Verify

Confirm the server now advertises GitHub sign-in:

curl -fsS https://proliferate.company.com/auth/desktop/methods
# {"password_login": true, "github": true}

Then restart a desktop app pointed at your server: the sign-in screen shows the GitHub button. The first successful sign-in confirms the callback URL and credentials are wired correctly.

Screenshot: Desktop sign-in screen with the GitHub button against a self-hosted server

The desktop sign-in screen after GitHub OAuth is configured, showing the GitHub sign-in button.

Who GitHub sign-in admits

Warning:

GitHub sign-in is not gated by invitations. Any GitHub account that completes OAuth against your server gets a member account in your instance organization; a GitHub account whose email matches an existing account is linked to it instead. The invitation allowlist and ALLOWED_EMAIL_DOMAINS gate only email and password registration. If you want strictly invitation-only access, leave GitHub sign-in unconfigured.

The ADMIN_EMAILS admin floor applies to GitHub sign-ins like any other: it is asserted at every login, so listed emails hold at least the admin role no matter which method they used. See Email & password for the full semantics.

On this page