GitHub sign-in
Optional GitHub OAuth sign-in for self-hosted Proliferate.
GitHub sign-in is optional. A base install needs no OAuth app at all:
email and password is
the default. Configure the two variables below and the desktop sign-in screen
adds a GitHub button (the app learns about it from the
GET /auth/desktop/methods probe).
This OAuth app is not the GitHub App used by cloud sandboxes. The OAuth app signs users in; the GitHub App gives sandboxes repository access. They are separate registrations with separate credentials.
Set up
Create a GitHub OAuth app
In your GitHub organization (or user account), open Settings, then Developer settings, then OAuth Apps, and register a new OAuth app:
- Homepage URL: your site address,
https://<site> - Authorization callback URL: exactly
https://<site>/auth/desktop/github/callback
Screenshot: GitHub, Register a new OAuth application form
The new OAuth app form with the homepage URL and the /auth/desktop/github/callback authorization callback URL filled in.
Generate a client secret
On the new app's page, generate a client secret and copy it together with the client ID.
Screenshot: GitHub OAuth app page with client ID and a freshly generated client secret
The OAuth app settings page showing the client ID and the generate-a-new-client-secret section.
Configure the server
Set both values in .env.static in your deploy bundle:
Apply with ./update.sh (or restart the stack with your usual Compose
commands).
Verify
Confirm the server now advertises GitHub sign-in:
Then restart a desktop app pointed at your server: the sign-in screen shows the GitHub button. The first successful sign-in confirms the callback URL and credentials are wired correctly.
Screenshot: Desktop sign-in screen with the GitHub button against a self-hosted server
The desktop sign-in screen after GitHub OAuth is configured, showing the GitHub sign-in button.
Who GitHub sign-in admits
GitHub sign-in is not gated by invitations. Any GitHub account that completes
OAuth against your server gets a member account in your instance organization;
a GitHub account whose email matches an existing account is linked to it
instead. The invitation allowlist and ALLOWED_EMAIL_DOMAINS gate only email
and password registration. If you want strictly invitation-only access, leave
GitHub sign-in unconfigured.
The ADMIN_EMAILS admin floor applies to GitHub sign-ins like any other: it
is asserted at every login, so listed emails hold at least the admin role no
matter which method they used. See
Email & password for
the full semantics.