GitHub User Access Restrictions (v 4.0)

Hi - I was wondering if there is a way to generally restrict to a group of GitHub users that are allowed to login to concourse when setting up OAuth. I setup GitHub Auth as described here: https://concourse-ci.org/install.html#github-auth-config

I have read this part about assigning specific GitHub users to concourse teams:
https://concourse-ci.org/authentication.html#github-auth

As this is not designed to work for the main team, I am not clear about what the intended user / admin pattern is now.

  1. When using GitHub Authentication - does that mean all GitHub users are able to log into Concourse, if it is exposed on a public URL?

  2. Is the intention with the main team to only have local users (as admins) assigned to this team?

  3. Is setting CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS=true at the same time as having GitHub Authentication generally a bad idea - since it will make all GitHub Users Admins?

Thanks!

Ok, what I didn’t see before are these options:

Authentication (Main Team) (GitHub):
  --main-team-github-user=USERNAME 
  --main-team-github-org=ORG_NAME
  --main-team-github-team=ORG_NAME:TEAM_NAME

I assume I need to define those appropriately and set:
CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS=false

Are you able to setup multiple teams and orgs for authentication per Concourse Team?

AFAIK its one Concourse team/org per Concourse installation.

From what I’ve been reading, the concoruse web option only allows for one github org. However, you can set more up using the Fly CLI tool.

Did you ever find a way to prevent 1? I only want users that are part of a specific github org to be able to login to our concourse server

I’m not sure when it changed but you can now configure the auth on teams to have any combination of github orgs/teams/users. The only requirement is that the oauth app used for the callback in Concourse be added to the respective orgs in github.

Technically, because of how auth works in Concourse, anyone with a github account will be able to log in to the server but they won’t be able to see any teams that they aren’t granted access to.