2021-01-29 00:20:46 +05:30
---
2022-07-16 23:28:13 +05:30
stage: Manage
group: Authentication and Authorization
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2021-01-29 00:20:46 +05:30
---
2022-04-04 11:22:00 +05:30
# Use GitHub as an authentication provider **(FREE SELF)**
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
You can integrate your GitLab instance with GitHub.com and GitHub Enterprise.
You can import projects from GitHub, or sign in to GitLab
with your GitHub credentials.
2015-04-26 12:48:37 +05:30
2022-04-04 11:22:00 +05:30
## Create an OAuth app in GitHub
2021-04-17 20:07:23 +05:30
2022-04-04 11:22:00 +05:30
To enable the GitHub OmniAuth provider, you need an OAuth 2.0 client ID and client
secret from GitHub:
1. Sign in to GitHub.
1. [Create an OAuth App ](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app )
and provide the following information:
- The URL of your GitLab instance, such as `https://gitlab.example.com` .
- The authorization callback URL, such as, `https://gitlab.example.com/users/auth` .
Include the port number if your GitLab instance uses a non-default port.
### Check for security vulnerabilities
For some integrations, the [OAuth 2 covert redirect ](https://oauth.net/advisories/2014-1-covert-redirect/ )
vulnerability can compromise GitLab accounts.
To mitigate this vulnerability, append `/users/auth` to the authorization
callback URL.
2021-04-17 20:07:23 +05:30
However, as far as we know, GitHub does not validate the subdomain part of the `redirect_uri` .
2022-04-04 11:22:00 +05:30
Therefore, a subdomain takeover, an XSS, or an open redirect on any subdomain of
2021-04-17 20:07:23 +05:30
your website could enable the covert redirect attack.
2022-04-04 11:22:00 +05:30
## Enable GitHub OAuth in GitLab
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
1. [Configure the initial settings ](omniauth.md#configure-initial-settings ) in GitLab.
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
1. Edit the GitLab configuration file using the following information:
2019-01-03 12:48:30 +05:30
2022-04-04 11:22:00 +05:30
| GitHub setting | Value in the GitLab configuration file | Description |
|----------------|----------------------------------------|-------------------------|
| Client ID | `YOUR_APP_ID` | OAuth 2.0 client ID |
| Client secret | `YOUR_APP_SECRET` | OAuth 2.0 client secret |
| URL | `https://github.example.com/` | GitHub deployment URL |
2016-06-02 11:05:42 +05:30
2022-04-04 11:22:00 +05:30
- **For Omnibus installations**
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
1. Open the `/etc/gitlab/gitlab.rb` file.
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
For GitHub.com, update the following section:
2019-02-02 18:00:53 +05:30
2022-04-04 11:22:00 +05:30
```ruby
gitlab_rails['omniauth_providers'] = [
{
name: "github",
# label: "Provider name", # optional label for login button, defaults to "GitHub"
app_id: "YOUR_APP_ID",
app_secret: "YOUR_APP_SECRET",
args: { scope: "user:email" }
}
]
```
2019-02-02 18:00:53 +05:30
2022-04-04 11:22:00 +05:30
For GitHub Enterprise, update the following section and replace
`https://github.example.com/` with your GitHub URL:
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
```ruby
gitlab_rails['omniauth_providers'] = [
{
name: "github",
# label: "Provider name", # optional label for login button, defaults to "GitHub"
app_id: "YOUR_APP_ID",
app_secret: "YOUR_APP_SECRET",
url: "https://github.example.com/",
args: { scope: "user:email" }
}
]
```
2015-04-26 12:48:37 +05:30
2022-04-04 11:22:00 +05:30
1. Save the file and [reconfigure ](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure )
GitLab.
2017-08-17 22:00:37 +05:30
2022-04-04 11:22:00 +05:30
- **For installations from source**
2017-08-17 22:00:37 +05:30
2022-04-04 11:22:00 +05:30
1. Open the `config/gitlab.yml` file.
2017-08-17 22:00:37 +05:30
2022-04-04 11:22:00 +05:30
For GitHub.com, update the following section:
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
```yaml
- { name: 'github',
# label: 'Provider name', # optional label for login button, defaults to "GitHub"
app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET',
args: { scope: 'user:email' } }
```
2020-03-13 15:44:24 +05:30
2022-04-04 11:22:00 +05:30
For GitHub Enterprise, update the following section and replace
`https://github.example.com/` with your GitHub URL:
2020-03-13 15:44:24 +05:30
2022-04-04 11:22:00 +05:30
```yaml
- { name: 'github',
# label: 'Provider name', # optional label for login button, defaults to "GitHub"
app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET',
url: "https://github.example.com/",
args: { scope: 'user:email' } }
```
2020-03-13 15:44:24 +05:30
2022-04-04 11:22:00 +05:30
1. Save the file and [restart ](../administration/restart_gitlab.md#installations-from-source )
GitLab.
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
1. Refresh the GitLab sign-in page. A GitHub icon should display below the
sign-in form.
2016-06-02 11:05:42 +05:30
2022-04-04 11:22:00 +05:30
1. Select the icon. Sign in to GitHub and authorize the GitLab application.
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
## Troubleshooting
2016-06-02 11:05:42 +05:30
2022-04-04 11:22:00 +05:30
### Imports from GitHub Enterprise with a self-signed certificate fail
2016-06-02 11:05:42 +05:30
2022-04-04 11:22:00 +05:30
When you import projects from GitHub Enterprise using a self-signed
certificate, the imports fail.
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
To fix this issue, you must disable SSL verification:
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
1. Set `verify_ssl` to `false` in the configuration file.
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
- **For Omnibus installations**
2014-09-02 18:07:02 +05:30
2022-04-04 11:22:00 +05:30
```ruby
gitlab_rails['omniauth_providers'] = [
{
name: "github",
# label: "Provider name", # optional label for login button, defaults to "GitHub"
app_id: "YOUR_APP_ID",
app_secret: "YOUR_APP_SECRET",
url: "https://github.example.com/",
verify_ssl: false,
args: { scope: "user:email" }
}
]
```
2017-08-17 22:00:37 +05:30
2022-04-04 11:22:00 +05:30
- **For installations from source**
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
```yaml
- { name: 'github',
# label: 'Provider name', # optional label for login button, defaults to "GitHub"
app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET',
url: "https://github.example.com/",
verify_ssl: false,
args: { scope: 'user:email' } }
```
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
1. Change the global Git `sslVerify` option to `false` on the GitLab server.
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
- **For Omnibus installations**
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
```ruby
omnibus_gitconfig['system'] = { "http" => ["sslVerify = false"] }
```
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
- **For installations from source**
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
```shell
git config --global http.sslVerify false
```
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
1. [Reconfigure GitLab ](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure )
if you installed using Omnibus, or [restart GitLab ](../administration/restart_gitlab.md#installations-from-source )
if you installed from source.
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
### Signing in using GitHub Enterprise returns a 500 error
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
This error can occur because of a network connectivity issue between your
GitLab instance and GitHub Enterprise.
2017-09-10 17:25:29 +05:30
2022-04-04 11:22:00 +05:30
To check for a connectivity issue:
2020-01-01 13:55:28 +05:30
2022-04-04 11:22:00 +05:30
1. Go to the [`production.log` ](../administration/logs.md#productionlog )
on your GitLab server and look for the following error:
2020-01-01 13:55:28 +05:30
2022-04-04 11:22:00 +05:30
``` plaintext
Faraday::ConnectionFailed (execution expired)
```
2020-01-01 13:55:28 +05:30
2022-04-04 11:22:00 +05:30
1. [Start the rails console ](../administration/operations/rails_console.md#starting-a-rails-console-session )
and run the following commands. Replace `<github_url>` with the URL of your
GitHub Enterprise instance:
2020-01-01 13:55:28 +05:30
2022-04-04 11:22:00 +05:30
```ruby
uri = URI.parse("https://< github_url > ") # replace `GitHub-URL` with the real one here
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = 1
response = http.request(Net::HTTP::Get.new(uri.request_uri))
```
2020-01-01 13:55:28 +05:30
2022-04-04 11:22:00 +05:30
1. If a similar `execution expired` error is returned, this confirms the error is
caused by a connectivity issue. Make sure the GitLab server can reach
your GitHub Enterprise instance.
2020-01-01 13:55:28 +05:30
### Signing in using your GitHub account without a pre-existing GitLab account is not allowed
2022-04-04 11:22:00 +05:30
When you sign in to GitLab, you get the following error:
```plaintext
Signing in using your GitHub account without a pre-existing
GitLab account is not allowed. Create a GitLab account first,
and then connect it to your GitHub account
```
To fix this issue, you must activate GitHub sign-in in GitLab:
2020-01-01 13:55:28 +05:30
2022-04-04 11:22:00 +05:30
1. On the top bar, in the top right corner, select your avatar.
2021-03-11 19:13:27 +05:30
1. Select **Edit profile** .
2021-11-11 11:23:49 +05:30
1. On the left sidebar, select **Account** .
2021-03-11 19:13:27 +05:30
1. In the **Social sign-in** section, select **Connect to GitHub** .