Skip to content
Snippets Groups Projects
Commit a1b903b2 authored by Niall Sheridan's avatar Niall Sheridan
Browse files

Update auth provider notes.

parent bd1e6a57
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 26 additions and 0 deletions
README.md
+ 26
0
View file @ a1b903b2
...@@ -60,9 +60,35 @@ Configuration is divided into three sections: `server`, `auth`, and `ssh`. ...@@ -60,9 +60,35 @@ Configuration is divided into three sections: `server`, `auth`, and `ssh`.
- `oauth_client_id` : string. Oauth Client ID. - `oauth_client_id` : string. Oauth Client ID.
- `oauth_client_secret` : string. Oauth secret. - `oauth_client_secret` : string. Oauth secret.
- `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source. - `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
- `provider_opts` : object. Additional options for the provider. - `provider_opts` : object. Additional options for the provider.
- `provider_opts: { domain }` : string. Applies to "google" provider. Only allow users from this Google Apps domain. This is optional but leaving it unset will allow anyone with a Google account to obtain ssh certificates so don't do that. - `provider_opts: { domain }` : string. Applies to "google" provider. Only allow users from this Google Apps domain. This is optional but leaving it unset will allow anyone with a Google account to obtain ssh certificates so don't do that.
#### Provider-specific options
Oauth providers can support provider-specific options - e.g. to ensure organization membership.
Options are set in the `provider_opts` hash.
Example:
```
"auth": {
"provider": "google",
"provider_opts" : {
"domain": "example.com",
"organization": ""
}
}
```
| Provider | Option | Notes | | |
|---------:|-------------:|----------------------------------------------------------------------------------------------------------------------------------------|---|---|
| Google | domain | If this is unset then any gmail user can obtain a token. | | |
| Github | organization | If this is unset then any GitHub user can obtain a token. The oauth client and secrets should be issued by the specified organization. | | |
| | | | | |
Supported options:
### ssh ### ssh
- `signing_key`: string. Path to the signing ssh private key you created earlier. - `signing_key`: string. Path to the signing ssh private key you created earlier.
- `additional_principals`: array of string. By default certificates will have one principal set - the username portion of the requester's email address. If `additional_principals` is set, these will be added to the certificate e.g. if your production machines use shared user accounts. - `additional_principals`: array of string. By default certificates will have one principal set - the username portion of the requester's email address. If `additional_principals` is set, these will be added to the certificate e.g. if your production machines use shared user accounts.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment