GitHub Authentication
Choose DEX_HOSTNAME And Configure DNS
Loft uses the CNCF project dex for single sign-on.
The easiest case is this one:
$LOFT_HOSTNAME = loft.mycompany.tld
(where Loft is running)$DEX_HOSTNAME = dex.mycompany.tld
(where dex should be running)- Loft and dex should run in the same Kubernetes cluster
Then, you can set a CNAME
record with value loft.mycompany.tld
in the DNS configuration for dex.mycompany.tld
.
Create A GitHub App
In GitHub, navigate to Settings > Developer Settings > OAuth Apps
and create a new OAuth App with the following settings:
- Application name: Loft Login via GitHub
- Homepage URL: https://loft.yourcompany.tld =
https:// + $LOFT_HOSTNAME
- Auth callback URL: https://dex.yourcompany.tld/callback =
https:// + $DEX_HOSTNAME + /callback
Remember the $GITHUB_CLIENT_ID
and $GITHUB_CLIENT_SECRET
that GitHub generates for your OAuth application because you will need it in the next step.
Create Dex Config For GitHub
Create the file dex-config.yaml
with the following dex configuration:
For details about configuring dex for GitHub, take a look at the dex documentation for GitHub.
STEP 4Deploy Dex via Helm
After creating the file dex-config.yaml
, you can now install dex via helm:
Configure Loft To Use Dex For Authentication
To tell Loft to use dex for SSO, navigate to Admin > Config
in Loft and adjust your config as shown below:
Authenticate via Dex + GitHub
After saving the new Loft configuration, Loft will restart itself and you should be able to log in via GitHub and dex. Beware that only members of your organization on GitHub can sign in and that everyone must grant access to view their organization during the login process.
Must Grant Access To Organization
Users must grant access to the organization you configured dex for in step 2 above, otherwise they will not be able to log in.
Disable Username + Password Authentication (optional)
To disable password-based authentication, navigate to Admin > Config
add these two lines to your config: