GitHub SSO Setup — Cloudflare Access

This guide configures GitHub OAuth SSO for portal.spwhin.com using Cloudflare Zero Trust Access (free tier supports up to 50 users).

How it works

Browser → portal.spwhin.com → Cloudflare Access (GitHub OAuth check)
                                        ↓
                             Is user in spwhin GitHub org?
                                  ✅ Yes → Allow
                                  ❌ No  → Block

No changes required to the Docusaurus app itself — protection is at the CDN/proxy layer.

---

Prerequisites

• Domain spwhin.com managed by Cloudflare (or proxied through it)
• GitHub org: spwhin
• Cloudflare account (free tier works)
• portal.spwhin.com already points to the CloudFront distribution that serves the portal

DNS / traffic flow

Cloudflare Access protects the hostname, while CloudFront serves the static site from S3:

Browser -> Cloudflare Access -> CloudFront -> S3 bucket

Create portal.spwhin.com in Cloudflare as a proxied DNS record pointing at the CloudFront distribution domain before enabling the Access application.

---

Step 1 — Enable Cloudflare Zero Trust

1. Log in to dash.cloudflare.com
2. Click Zero Trust in the sidebar
3. Choose a team name: spwhin
4. Select Free plan

---

Step 2 — Add GitHub as Identity Provider

1. Go to Settings → Authentication → Login methods
2. Click Add new → GitHub
3. In GitHub, go to Settings → Developer Settings → OAuth Apps → New OAuth App:
   • Application name: SPW HI Portal SSO
   • Homepage URL: https://portal.spwhin.com
   • Callback URL: https://spwhin.cloudflareaccess.com/cdn-cgi/access/callback
4. Copy Client ID and Client Secret back into Cloudflare
5. Enable "Proof Key for Code Exchange (PKCE)"
6. Save

---

Step 3 — Create an Access Application

1. Go to Access → Applications → Add an application
2. Select Self-hosted
3. Configure:
   • App name: SPW HI Developer Portal
   • Subdomain: portal / Domain: spwhin.com
   • Session duration: 24 hours
4. Click Next

---

Step 4 — Create an Access Policy

1. Policy name: SPW GitHub Org Members
2. Action: Allow
3. Include rule:
   • Selector: GitHub → Organization
   • Value: spwhin
4. Save and deploy

---

Step 5 — Verify

1. Open an incognito window → https://portal.spwhin.com
2. You should see the Cloudflare Access login screen
3. Click Sign in with GitHub
4. Authorize → redirected to portal ✅

Members outside the spwhin GitHub org will get a "Access Denied" page.

---

Adding/Removing Access

Access is entirely managed through GitHub org membership:

• Grant access: Invite to spwhin GitHub org
• Revoke access: Remove from spwhin GitHub org

No Cloudflare config changes needed.

---

Cost

Users	Cost
Up to 50	Free
50+	$7/user/month (Cloudflare Access)

For SPW HI's team size, this will remain free for the foreseeable future.