This document will mention internal users and external users. The following distinctions are made:
- Internal members: Members registered within the Dify Enterprise workspace or added through the admin backend.
- External users: Members not within Dify Enterprise
1. Create an OAuth App in GitHub
- Access the GitHub administrator backend page, navigate to the Settings page, select OAuth Apps and create a new OAuth application.
- Follow the page prompts to fill in the following content and complete application creation:
- Application name (Required): Application name, can be customized.
- Homepage URL (Required): Homepage link, recommended to fill in the Dify Enterprise platform URL.
- Application description (Optional): Application description.
- Authorization Callback URL (Required): Callback link, please refer to the section below for how to obtain it.
For more information about creating GitHub OAuth2 applications, please refer to GitHub Documentation.
2. Obtaining Callback URL
According to the required SSO scope to be enabled, Callback URLs differ. System administrators need to fill the Dify Enterprise Callback URL into the corresponding GitHub OAuth2 application to complete the creation process.- Workspace
- WebApp Members (For Internal Users)
- WebApp External Users (For External Users)
Click Admin Backend → Identity Authentication → Member → SSO Identity Provider → New Identity Provider → New OAuth2 Provider, and view the Workspace Callback URL at the bottom.It usually follows this format:
- Paste it into the Authorization callback URL field in the OAuth2 App.
3. Enable OAuth2 Authentication
Access the Dify Enterprise Authentication page, click ”+ New Identity Provider → New OAuth2 Provider”, and fill in the information according to the prompts to complete the configuration. Go to the OAuth application to obtain the following information:- Client ID
- Client Secrets
- Authorization Endpoint:
https://github.com/login/oauth/authorize - Token Endpoint:
https://github.com/login/oauth/access_token - User Info Endpoint:
https://api.github.com/user - Scopes:
openid,profile,email
4. Enable SSO Mandatory Authentication (Optional)
System administrators can enable SSO Enforcement options for the following two scenarios to enable mandatory authentication:- Workspace: Requires authorization when logging into Dify Enterprise Workspace.
- WebApp: Requires verification when using applications created by the current Dify Enterprise.

