GitHub auth

A Concourse server can authenticate against GitHub to leverage their permission model and other security improvements in their infrastructure.


First, you'll need to create an OAuth application on GitHub.

The "Authorization callback URL" must be the URL of your Concourse server. This address must be reachable by GitHub - it can't be localhost.

For example, Concourse's own CI server's callback URL would be:


You will be given a Client ID and a Client Secret for your new application. The client ID and secret must then be configured on the web node by setting the following env:


Note that the client must be created under an organization if you want to authorize users based on organization/team membership. In addition, the GitHub application must have at least read access on the organization's members. If the client is created under a personal account, only individual users can be authorized.

If you're configuring GitHub Enterprise, you'll also need to set the following env:


The GitHub Enterprise host must not contain a scheme, or a trailing slash.


Users, teams, and entire organizations can be authorized for a team by passing the following flags to fly set-team:


Authorize an individual user.


Authorize an entire organization's members.


Authorize a team's members within an organization.

For example:

$ fly set-team -n my-team \
    --github-user my-github-login \
    --github-org my-org \
    --github-team my-other-org:my-team

...or via --config for setting user roles:

- name: member
    users: ["my-github-login"]
    orgs: ["my-org"]
    teams: ["my-other-org:my-team"]

Configuring main Team Authorization

GitHub users, teams, and organizations can be added to the main team authorization config by setting the following env on the web node:


Multiple orgs, teams, and users may be specified by comma-separating them.