diff --git a/endpoints/callbacks.py b/endpoints/callbacks.py
index f381074ad..aa5ee307c 100644
--- a/endpoints/callbacks.py
+++ b/endpoints/callbacks.py
@@ -193,10 +193,12 @@ def github_oauth_callback():
 
   found_email = None
   for user_email in get_email.json():
-    if not user_email['primary'] or not user_email['verified']:
-      break
+    if not user_email['verified']:
+      continue
 
     found_email = user_email['email']
+    if user_email['primary']:
+      break
 
   if found_email is None:
     err = 'There is no verified e-mail address attached to the GitHub account.'
diff --git a/static/js/services/key-service.js b/static/js/services/key-service.js
index 1c419b25e..deaab705b 100644
--- a/static/js/services/key-service.js
+++ b/static/js/services/key-service.js
@@ -23,7 +23,11 @@ angular.module('quay').factory('KeyService', ['$location', 'Config', function($l
   keyService['githubTriggerEndpoint'] = oauth['GITHUB_TRIGGER_CONFIG']['GITHUB_ENDPOINT'];
   keyService['githubTriggerAuthorizeUrl'] = oauth['GITHUB_TRIGGER_CONFIG']['AUTHORIZE_ENDPOINT'];
 
-  keyService['githubLoginScope'] = 'user:email,read:org';
+  keyService['githubLoginScope'] = 'user:email';
+  if (oauth['GITHUB_LOGIN_CONFIG']['ORG_RESTRICT']) {
+    keyService['githubLoginScope'] += ',read:org';
+  }
+
   keyService['googleLoginScope'] = 'openid email';
 
   keyService.isEnterprise = function(service) {
diff --git a/util/oauth.py b/util/oauth.py
index 731cec81a..466db4d98 100644
--- a/util/oauth.py
+++ b/util/oauth.py
@@ -117,7 +117,8 @@ class GithubOAuthConfig(OAuthConfig):
     return  {
       'CLIENT_ID': self.client_id(),
       'AUTHORIZE_ENDPOINT': self.authorize_endpoint(),
-      'GITHUB_ENDPOINT': self._endpoint()
+      'GITHUB_ENDPOINT': self._endpoint(),
+      'ORG_RESTRICT': self.config.get('ORG_RESTRICT', False)
     }