@@ -62,7 +62,7 @@ You may need to import projects from external sources like GitHub, Bitbucket, or
...
@@ -62,7 +62,7 @@ You may need to import projects from external sources like GitHub, Bitbucket, or
### Popular project imports
### Popular project imports
-[GitHub Enterprise to self-managed GitLab](../integration/github.md#enabling-github-oauth): Enabling OAuth makes it easier for developers to find and import their projects.
-[GitHub Enterprise to self-managed GitLab](../integration/github.md): Enabling OAuth makes it easier for developers to find and import their projects.
-[Bitbucket Server](../user/project/import/bitbucket_server.md#limitations): There are certain data limitations.
-[Bitbucket Server](../user/project/import/bitbucket_server.md#limitations): There are certain data limitations.
For assistance with these data types, contact your GitLab account manager or GitLab Support about our professional migration services.
For assistance with these data types, contact your GitLab account manager or GitLab Support about our professional migration services.
info:To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
info:To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
---
# Integrate your GitLab instance with GitHub **(FREE SELF)**
# Use GitHub as an authentication provider **(FREE SELF)**
You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. This integration
You can integrate your GitLab instance with GitHub.com and GitHub Enterprise.
enables users to import projects from GitHub, or sign in to your GitLab instance
You can import projects from GitHub, or sign in to GitLab
with their GitHub account.
with your GitHub credentials.
## Security check
## Create an OAuth app in GitHub
Some integrations risk compromising GitLab accounts. To help mitigate this
To enable the GitHub OmniAuth provider, you need an OAuth 2.0 client ID and client
vulnerability, append `/users/auth` to the end of the authorization callback URL.
However, as far as we know, GitHub does not validate the subdomain part of the `redirect_uri`.
1. Sign in to GitHub.
This means that a subdomain takeover, an XSS, or an open redirect on any subdomain of
1.[Create an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app)
your website could enable the covert redirect attack.
and provide the following information:
- The URL of your GitLab instance, such as `https://gitlab.example.com`.
## Enabling GitHub OAuth
- The authorization callback URL, such as, `https://gitlab.example.com/users/auth`.
Include the port number if your GitLab instance uses a non-default port.
To enable the GitHub OmniAuth provider, you need an OAuth 2 Client ID and Client Secret from GitHub. To get these credentials, sign into GitHub and follow their procedure for [Creating an OAuth App](https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app).
When you create an OAuth 2 app in GitHub, you need the following information:
- The URL of your GitLab instance, such as `https://gitlab.example.com`.
- The authorization callback URL; in this case, `https://gitlab.example.com/users/auth`. Include the port number if your GitLab instance uses a non-default port.
See [Configure initial settings](omniauth.md#configure-initial-settings) for initial settings.
### Check for security vulnerabilities
After you have configured the GitHub provider, you need the following information. You must substitute that information in the GitLab configuration file in these next steps.
For some integrations, the [OAuth 2 covert redirect](https://oauth.net/advisories/2014-1-covert-redirect/)
vulnerability can compromise GitLab accounts.
To mitigate this vulnerability, append `/users/auth` to the authorization
callback URL.
| Setting from GitHub | Substitute in the GitLab configuration file | Description |
However, as far as we know, GitHub does not validate the subdomain part of the `redirect_uri`.