GitHub Organizations

Spinnaker supports OAuth 2.0 for authentication with GitHub organizations.

Get Client ID and Secret

Consult the GitHub OAuth 2.0 documentation and register a new OAuth 2.0 application to obtain a client ID and client secret.

Note: While registering the application in github, under “Authorized redirect URIs”, add https://localhost:8084/login/oauth2/code/github (For Spinnaker below v2025.2.0, it should be https://localhost:8084/login)

Configure Halyard

You may configure Halyard either with the CLI or by manually editing the hal config.

Hal config

security:
  authn:
    oauth2:
      enabled: true
      client:
        clientId: # client ID from above
        clientSecret: # client secret from above
        accessTokenUri: https://github.com/login/oauth/access_token
        userAuthorizationUri: https://github.com/login/oauth/authorize
        scope: user,email # for Spinnaker below v2025.2.0, it should be "user:email" without double quotes
      resource:
        userInfoUri: https://api.github.com/user
      # You almost certainly want to restrict access to your Spinnaker by adding
      # userInfoRequirements; otherwise any user with a GitHub account will be
      # able to access it.
      userInfoRequirements: {}
      userInfoMapping:
        email: email
        firstName: ''
        lastName: name
        username: login
      provider: GITHUB

CLI

hal config security authn oauth2 edit --provider github \
  --client-id (client ID from above) \
  --client-secret (client secret from above)

hal config security authn oauth2 enable

Last modified September 11, 2025: feat(OAuth2): Update Spinnaker documentation for OAuth property changes in Spring Security 5 (#503) (91e340e)