GitHub SSO Provider

This section explains how to configure GitHub as an SSO provider in Localtonet and use it to protect your HTTP tunnels.

The setup consists of two main parts:

  1. Creating an OAuth App in GitHub

  2. Adding the GitHub provider to Localtonet

Step 1: Create an OAuth App in GitHub

Before adding GitHub as an SSO provider in Localtonet, you need to create an OAuth application in GitHub.

  1. Go to GitHub Developer Settings

  2. Click OAuth AppsNew OAuth App

  3. Fill in the application details:

    • Application name
      Any descriptive name (e.g. Localtonet Tunnel Access)

    • Homepage URL

      https://auth.localtonet.com

    • Authorization callback URL

      http://auth.localtonet.com/auth/callback

  4. Click Register application.

  5. After creation, generate a Client Secret.

  6. Copy the following values:

    • Client ID

    • Client Secret

You will use these values in the next step.

Step 2: Add GitHub Provider in Localtonet

  1. Open the SSO Providers setting in HTTP Tunnel page

  2. Click Add Provider.

  3. Fill in the provider details:

    • Provider Name
      Any descriptive name (e.g. GitHub, Company GitHub Login)

    • Provider Type
      Select GitHub

    • Client ID
      Paste the Client ID from GitHub

    • Client Secret
      Paste the Client Secret from GitHub

  4. The following endpoints are pre-filled automatically for GitHub and should not be changed unless you have a specific reason:

    • Authorization Endpoint

      https://github.com/login/oauth/authorize

    • Token Endpoint

      https://github.com/login/oauth/access_token

    • UserInfo Endpoint

      https://api.github.com/user

    • Callback Path

      /auth/callback/github

  5. (Optional) Configure Allowed Email Domains

    • Enter one domain per line (e.g. company.com)

    • Only users whose verified email matches the domain will be allowed

  6. Toggle Active to enable the provider.

  7. Click Save.



Your GitHub SSO provider is now available for use.

Step 3: Enable GitHub SSO for an HTTP Tunnel

  1. Open the HTTP Tunnel Settings for the tunnel you want to protect.

  2. Navigate to SSO Providers → Manage.

  3. Enable SSO for this tunnel.

  4. Toggle GitHub to enable it for this tunnel.

  5. Configure optional tunnel-level restrictions:

    • SSO Path(s) – paths that require authentication

    • Logout Path – logout endpoint

    • Allowed Domains / Emails / Usernames – additional access control

  6. Click Save Changes.



What Happens Next?

When a user accesses the tunnel URL:

  1. The request is intercepted by the Localtonet authentication layer.

  2. The user is redirected to GitHub for authentication.

  3. After successful login, the user is redirected back to the tunnel.

  4. Access is granted only if all provider and tunnel rules are satisfied.

The protected service remains unchanged.

Notes & Best Practices

  • GitHub authentication uses the user’s primary verified email

  • Use domain restrictions to limit access to organization users

  • You can enable GitHub alongside other SSO providers

  • Rotate Client Secrets periodically for security