This document will use GitHub as the SSO identity provider to demonstrate how to enable OAuth2 authorization protocol for Dify Enterprise. By enabling this feature, the enterprise login page will use a unified identity authentication entry to enhance security. For enterprise internal users, there’s no need to enter complex passwords - they can log in using organizational accounts to pass verification, simplifying the login process.
This document will mention internal users and external users. The following distinctions are made:
  • Internal members: Members registered within the Dify Enterprise workspace or added through the admin backend.
  • External users: Members not within Dify Enterprise

1. Create an OAuth App in GitHub

  1. Access the GitHub administrator backend page, navigate to the Settings page, select OAuth Apps and create a new OAuth application.
  1. Follow the page prompts to fill in the following content and complete application creation:
  • Application name (Required): Application name, can be customized.
  • Homepage URL (Required): Homepage link, recommended to fill in the Dify Enterprise platform URL.
  • Application description (Optional): Application description.
  • Authorization Callback URL (Required): Callback link, please refer to the section below for how to obtain it.
For more information about creating GitHub OAuth2 applications, please refer to GitHub Documentation.

2. Obtaining Callback URL

According to the required SSO scope to be enabled, Callback URLs differ. System administrators need to fill the Dify Enterprise Callback URL into the corresponding GitHub OAuth2 application to complete the creation process.
Click Admin BackendIdentity AuthenticationMemberSSO Identity ProviderNew Identity ProviderNew OAuth2 Provider, and view the Workspace Callback URL at the bottom.It usually follows this format:
https://[your-dify-enterprise-url]/console/api/enterprise/sso/oauth2/callback
  1. Paste it into the Authorization callback URL field in the OAuth2 App.

3. Enable OAuth2 Authentication

Access the Dify Enterprise Authentication page, click ”+ New Identity Provider → New OAuth2 Provider”, and fill in the information according to the prompts to complete the configuration. Go to the OAuth application to obtain the following information:
  • Client ID
  • Client Secrets
The basic information of different OAuth2 providers varies, please refer to the official documentation of each provider. The following information is for reference only and can be adjusted according to actual needs.
  • Authorization Endpoint: https://github.com/login/oauth/authorize
  • Token Endpoint: https://github.com/login/oauth/access_token
  • User Info Endpoint: https://api.github.com/user
  • Scopes: openid,profile,email

4. Enable SSO Mandatory Authentication (Optional)

System administrators can enable SSO Enforcement options for the following two scenarios to enable mandatory authentication:
  • Workspace: Requires authorization when logging into Dify Enterprise Workspace.
  • WebApp: Requires verification when using applications created by the current Dify Enterprise.
After enabling, accessing the corresponding scenarios will prompt for access authorization.