# GitHub

To allow users to log in with GitHub credentials, you must use a GitHub App. We highly recommend that you set up a dedicated one.

## Creating a dedicated app for authentication <a href="#creating-a-dedicated-app-for-authentication" id="creating-a-dedicated-app-for-authentication"></a>

If you want to use a dedicated app for GitHub authentication, you can create a GitHub OAuth app. You’ll find general instructions for creating a GitHub OAuth App [here](https://docs.github.com/en/free-pro-team@latest/developers/apps/creating-an-oauth-app). Specify the following settings in your OAuth App:

* **Homepage URL** – the public URL of your SonarQube server. For example, `https://sonarqube.mycompany.com`. For security reasons, HTTP is not supported, and you must use HTTPS. The public URL is configured in SonarQube at **Administration > General > Server base URL**.
* **Authorization callback URL** – your instance’s base URL. For example, `https://yourinstance.sonarqube.com`.

## Setting your authentication settings in SonarQube <a href="#setting-your-authentication-settings-in-sonarqube" id="setting-your-authentication-settings-in-sonarqube"></a>

Navigate to **Administration > Configuration > General Settings > Authentication > GitHub Authentication** and update the following:

1. **Enabled** – set the switch to `true`.
2. **Client ID** – the client ID is found below the GitHub App ID on your GitHub App’s page.
3. **Client Secret** – the client secret is found below the client ID on your GitHub App’s page.
4. Enter the allowed organizations in the **Organizations** field.

{% hint style="warning" %}
If the allowed organizations are not entered, any user with a GitHub account can log in to the SonarQube instance, even if the GitHub App used for authentication is private.
{% endhint %}

Now, from the login page, your users can connect their GitHub accounts with the new **Log in with GitHub** button.

## GitHub group synchronization <a href="#github-group-synchronization" id="github-group-synchronization"></a>

To associate GitHub Teams with existing SonarQube groups of the same name, enable **Synchronize user groups** by navigating to **Administration** > **Configuration** > **General Settings** > **Authentication** > **GitHub**.

![](https://152261287-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FBmptmznn7RpPe5u7vdup%2Fuploads%2Fgit-blob-0f7eb82f32121311e41272b07da90bb979b35e26%2Fafc1f20974cc2330d289f6789ea42ccab2e6fa5f.png?alt=media)

See the **Group synchronization** section on the [overview](https://docs.sonarsource.com/sonarqube-server/9.9/instance-administration/authentication/overview "mention") for more detail about this feature’s general behavior.

{% hint style="info" %}
When group synchronization is configured, the delegated authentication source becomes the only place to manage group membership, and the user’s groups are re-fetched with each login. It is not possible to use both manual group memberships and group synchronization (via your ALM integration) for the same user.
{% endhint %}