This topic describes how to configure your team's authentication using GitHub Authentication.
Continuous integration servers often contain many secrets that let them access source code and deploy apps. It is important that those secrets remain well guarded. Concourse provides options for both authentication and authorization to give you control over who can access your server and how much they can see.
Any number of the following providers can be enabled at any one time. Users are given a choice when logging in as to which one they want to use.
!!! note "" Note: If you access your Concourse server over the public internet, then consider using TLS to secure your connection to the web node.
Configuring team authentication in Concourse is done in two parts:
fly set-team. See Add Users and Groups to Teams below.
A Concourse server can authenticate against GitHub to take advantage of their permission model and other security improvements in their infrastructure. To do this, you need to:
You can create an OAuth app on GitHub. To do this, see Register a new OAuth app in GitHub.
The callback URL is the external URL of your Concourse server with
/sky/issuer/callback appended. For example, Concourse's own CI server's callback URL is
!!! note "" Note: The app must be created under an org if you want to authorize users based on org/team membership. If the app is created under a personal account, only individual users can be authorized.
GitHub provides a Client ID and a Client Secret for the new app. Supply this information in the
client_secret fields. For more information about these fields, see github_auth in the BOSH documentation.
Add GitHub users, teams, or orgs to a Concourse team.
--github-user=LOGINto authorize an individual user.
--github-org=ORG-NAMEto authorize an entire org's members.
--github-team=ORG-NAME:TEAM-NAMEto authorize a team's members within an organization.
$ fly set-team -n my-team \ --github-user my-github-login \ --github-org my-org \ --github-team my-org:my-team 1
!!! note "" Note:
: is used as the separator when adding GitHub teams instead of
/. If multiple teams are added, the flag must be repeated.
--github-team my-org:my-team 1
--github-team my-org:my-team 2
The output is similar to the following:
name users groups main github:User github:Organization