mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 00:40:25 +02:00
specify expected audience in Console config (#2442)
This commit is contained in:
parent
2b200f8704
commit
1931f11649
2 changed files with 12 additions and 1 deletions
|
@ -158,7 +158,7 @@ administrators: you@mydomain.com
|
|||
|
||||
Once you have set permissions in the console UI, you should remove this configuration.
|
||||
|
||||
### TLS and Signing Key
|
||||
### TLS, Signing Key and Audience
|
||||
|
||||
1. If your open-source Pomerium installation is already configured to use TLS to secure back-end communication, you can do the same for the Pomerium Enterprise Console by providing it a certificate, key, and optional custom CA file to validate the `databroker_service_url` connection:
|
||||
|
||||
|
@ -172,6 +172,14 @@ Once you have set permissions in the console UI, you should remove this configur
|
|||
|
||||
1. Set the [`signing_key`](/enterprise/reference/config.md#signing-key) to match Pomerium's.
|
||||
|
||||
1. Set the `audience` key to match the `from` domain value from your [Pomerium configuration](#update-pomerium), excluding protocol:
|
||||
|
||||
```yaml
|
||||
audience: console.localhost.pomerium.com
|
||||
```
|
||||
|
||||
This sets the expected "audience" key in the [JWT header](/reference/#jwt-claim-headers) to match what's provided by open-source Pomerium as it proxies traffic to the Enterprise Console UI.
|
||||
|
||||
Once complete, your `/etc/pomerium-console/config.yaml` file should look something like this:
|
||||
|
||||
```yaml
|
||||
|
@ -188,6 +196,8 @@ tls_cert_file: /etc/pomerium-console/cert.pem
|
|||
tls_key_file: /etc/pomerium-console/key.pem
|
||||
|
||||
signing_key: "ZZZZZZZZZZZZZZ"
|
||||
|
||||
audience: console.localhost.pomerium.com
|
||||
```
|
||||
|
||||
## Next Steps
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue