Offer additional login options beyond GitHub OAuth #54
Description
Summary
Currently coder.ddev.com only supports GitHub OAuth for login. This issue tracks adding alternative authentication options to reduce friction for users who prefer not to authorize a third-party service with their main GitHub account, and to broaden access for non-GitHub users.
Current GitHub OAuth Behavior
Coder requests three read-only GitHub OAuth scopes:
read:user— public profile datauser:email— email addresses (including private ones)read:org— organization membership
What this means in practice:
- coder.ddev.com cannot read private repositories, push code, create issues, or perform any write action
- The OAuth token is stored in Coder's database and does not expire unless revoked
- Users can revoke at any time: GitHub Settings → Applications → Authorized OAuth Apps
The risk profile for using a personal GitHub account is low, but some users will reasonably prefer not to grant any third-party access to their GitHub account.
Alternative Auth Options Coder Supports
Coder has built-in support for several alternatives. References:
- Coder auth docs: https://coder.com/docs/admin/users/github-auth
- Coder OIDC docs: https://coder.com/docs/admin/users/oidc-auth
- GitHub OAuth Apps vs GitHub Apps: https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps#about-github-apps-acting-on-your-behalf
- GitHub OAuth App scopes: https://docs.github.com/en/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps
1. Username/Password (Built-in)
Already available in Coder by default. No configuration needed — just enable it in the UI or leave it enabled. Users create a local account without any external OAuth dependency.
Consideration: Requires password management; no SSO; good for users who want complete separation from external accounts.
2. OIDC with Google / Microsoft / Okta
Coder supports any OIDC-compliant provider. OIDC is more privacy-preserving than OAuth because the identity provider handles authentication and returns only a signed identity assertion (email + username) — Coder never receives a token that can query GitHub's API.
Examples:
- Google (
accounts.google.com) — widely available, no GitHub dependency - Microsoft Entra ID — common in enterprise contexts
- Okta — enterprise SSO
3. GitLab OAuth / OIDC
Relevant for Drupal contributors who already use drupalcode.org (which runs GitLab). Would allow login with an existing Drupal community identity.
- GitLab OIDC: https://docs.gitlab.com/ee/integration/openid_connect_provider.html
- GitLab OAuth: https://docs.gitlab.com/ee/api/oauth2.html
4. Self-Hosted OIDC (Keycloak / Authentik)
Maximum control option: run an identity provider that federates against GitHub, GitLab, LDAP, etc., but presents only OIDC claims to Coder. DDEV controls exactly what identity information is shared.
- Keycloak: https://www.keycloak.org/
- Authentik: https://goauthentik.io/
Suggested Actions
- Enable username/password login (if not already enabled) as an immediate no-config option
- Evaluate GitLab OIDC for Drupal community users
- Consider a self-hosted OIDC provider for maximum control long-term
- Document the GitHub OAuth scopes and revocation instructions for users
References
- Coder user auth overview: https://coder.com/docs/admin/users/
- GitHub OAuth App authorization: https://docs.github.com/en/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps
- GitHub Apps acting on your behalf: https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps#about-github-apps-acting-on-your-behalf
- Reviewing/revoking authorized apps: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-authorized-integrations