GitHub user dosubot[bot] added a comment to the discussion: Does the DevLake UI support authentication and authorization?
<!-- Answer --> DevLake UI supports authentication, but its native options are limited. The most common method is Basic Authentication, which you can enable by setting the `ADMIN_USER` and `ADMIN_PASS` environment variables in your deployment. This creates an htpasswd file and protects the UI via nginx basic auth—see the relevant setup in the [nginx configuration script](https://github.com/apache/incubator-devlake/blob/main/config-ui/nginx.sh). If you need more advanced authentication (like OAuth2 or SSO), you can deploy DevLake behind an OAuth2 proxy (such as `oauth2-proxy`). The official Docker Compose setup includes an `authproxy` service that can be configured for providers like OIDC, Google, etc. This method secures the UI by requiring users to authenticate through your chosen identity provider before accessing DevLake—see the [docker-compose example](https://github.com/apache/incubator-devlake/blob/main/docker-compose-dev.yml). For cloud deployments with Tin, you can set a username and generate a password directly in the UI to enable Basic Auth and secure your instance—see the [Tin setup guide](https://github.com/apache/incubator-devlake/wiki/How-to-Set-Up-DevLake-with-Tin). DevLake does not currently support granular, role-based authorization natively in the UI. All authentication methods described above restrict access to the entire UI, not specific features or data. Authentication for plugin/API connections (like GitHub, AWS, Bitbucket) is handled separately within each plugin’s configuration and does not control access to the UI itself. If you need step-by-step guidance for a specific deployment scenario, let me know your environment and I can walk you through the setup. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/3fb995d6-3d58-49c1-b4db-bc17a2747462?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/3fb995d6-3d58-49c1-b4db-bc17a2747462?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/3fb995d6-3d58-49c1-b4db-bc17a2747462?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/3fb995d6-3d58-49c1-b4db-bc17a2747462?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/3fb995d6-3d58-49c1-b4db-bc17a2747462?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/3fb995d6-3d58-49c1-b4db-bc17a2747462?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/3fb995d6-3d58-49c1-b4db-bc17a2747462?feedback_type=other)</sup> [](https://app.dosu.dev/b4e8e847-d479-4541-83a8-d88d83fea5c9/ask?utm_source=github) [](https://cursor.com/link/prompt?text=DevLake%20UI%20supports%20authentication%2C%20but%20its%20native%20options%20are%20limited.%20The%20most%20common%20method%20is%20Basic%20Authentication%2C%20which%20you%20can%20enable%20by%20setting%20the%20%60ADMIN_USER%60%20and%20%60ADMIN_PASS%60%20environment%20variables%20in%20your%20deployment.%20This%20creates%20an%20htpasswd%20file%20and%20protects%20the%20UI%20via%20nginx%20basic%20auth%E2%80%94see%20the%20relevant%20setup%20in%20the%20%5Bnginx%20configuration%20script%5D%28https%3A//github.com/apache/incubator-devlake/blob/main/config-ui/nginx.sh%29.%0A%0AIf%20you%20need%20more%20advanced%20authentication%20%28like%20OAuth2%20or%20SSO%29%2C%20you%20can%20deploy%20DevLake%20behind%20an%20OAuth2%20proxy%20%28such%20as%20%60oauth2-proxy%60%29.% 20The%20official%20Docker%20Compose%20setup%20includes%20an%20%60authproxy%60%20service%20that%20can%20be%20configured%20for%20providers%20like%20OIDC%2C%20Google%2C%20etc.%20This%20method%20secures%20the%20UI%20by%20requiring%20users%20to%20authenticate%20through%20your%20chosen%20identity%20provider%20before%20accessing%20DevLake%E2%80%94see%20the%20%5Bdocker-compose%20example%5D%28https%3A//github.com/apache/incubator-devlake/blob/main/docker-compose-dev.yml%29.%0A%0AFor%20cloud%20deployments%20with%20Tin%2C%20you%20can%20set%20a%20username%20and%20generate%20a%20password%20directly%20in%20the%20UI%20to%20enable%20Basic%20Auth%20and%20secure%20your%20instance%E2%80%94see%20the%20%5BTin%20setup%20guide%5D%28https%3A//github.com/apache/incubator-devlake/wiki/How-to-Set-Up-DevLake-with-Tin%29.%0A%0ADevLake%20does%20not%20currently%20support%20granular%2C%20role-based%20authorization%20natively%20in%20the%20UI.%20All%20authentication%20methods%20described%20above%20restrict%20access% 20to%20the%20entire%20UI%2C%20not%20specific%20features%20or%20data.%0A%0AAuthentication%20for%20plugin/API%20connections%20%28like%20GitHub%2C%20AWS%2C%20Bitbucket%29%20is%20handled%20separately%20within%20each%20plugin%E2%80%99s%20configuration%20and%20does%20not%20control%20access%20to%20the%20UI%20itself.%0A%0AIf%20you%20need%20step-by-step%20guidance%20for%20a%20specific%20deployment%20scenario%2C%20let%20me%20know%20your%20environment%20and%20I%20can%20walk%20you%20through%20the%20setup.) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/incubator-devlake/discussions/8694) GitHub link: https://github.com/apache/incubator-devlake/discussions/8694#discussioncomment-15679519 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
