Actual behavior (updated)
When a non-member completes the GitHub OAuth flow, Coder redirects to the login page with a message:
https://coder.ddev.com/login?message=You+aren%27t+a+member+of+the+authorized+Github+organizations%21&redirect=%2F
The login page shows: "You aren't a member of the authorized Github organizations!"
This is better than a bare error — the user knows what went wrong. What's still missing is what to do about it: which orgs qualify and where to request access.
Remaining gap
The login page error message has no link to coder-ddev-com/access-requests and no explanation of which orgs are allowed. A user seeing this has no obvious next step.
Current mitigation
A service_banner on the Coder login page (once applied to production) will appear on the same page as this error message, explaining the org requirement and linking to access-requests. That closes most of the gap without any infrastructure change.
Options for a complete fix
- Service banner (immediate) — already set on staging; apply to production via
PUT /api/v2/appearance. Shows on the same page as the error. No infra change needed.
- Reverse proxy (Caddy/nginx) in front of Coder — intercept the OAuth callback 401/403 and redirect directly to
start.coder.ddev.com/access-denied before the login page redirect. Cleanest UX but requires moving Coder to an internal port.
- Coder upstream feature request — ask Coder to support a configurable
unauthorized_redirect_url for the OAuth callback.
Reference
Actual behavior (updated)
When a non-member completes the GitHub OAuth flow, Coder redirects to the login page with a message:
The login page shows: "You aren't a member of the authorized Github organizations!"
This is better than a bare error — the user knows what went wrong. What's still missing is what to do about it: which orgs qualify and where to request access.
Remaining gap
The login page error message has no link to
coder-ddev-com/access-requestsand no explanation of which orgs are allowed. A user seeing this has no obvious next step.Current mitigation
A
service_banneron the Coder login page (once applied to production) will appear on the same page as this error message, explaining the org requirement and linking to access-requests. That closes most of the gap without any infrastructure change.Options for a complete fix
PUT /api/v2/appearance. Shows on the same page as the error. No infra change needed.start.coder.ddev.com/access-deniedbefore the login page redirect. Cleanest UX but requires moving Coder to an internal port.unauthorized_redirect_urlfor the OAuth callback.Reference
docs/access-denied.html— ready-to-use landing page atstart.coder.ddev.com/access-denied