3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-24 20:18:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: infer settings from authenticate url (#83)

Browse source
This commit is contained in:
Bobby DeSimone 2019-04-10 12:16:00 -07:00 committed by GitHub
parent 06da599fbc
commit 603e6a17b9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 182 additions and 257 deletions
Download patch file Download diff file Expand all files Collapse all files

22
docs/docs/config-reference.md
View file

@ -87,7 +87,7 @@ If `false`
- Options: `debug` `info` `warn` `error`
- Default: `debug`
Log level sets the global logging level for pomerium. Only logs of the desired level and above will be logged.
Log level sets the global logging level for pomerium. Only logs of the desired level and above will be logged.
### Certificate
@ -107,22 +107,14 @@ Certificate key is the x509 _private-key_ used to establish secure HTTP and gRPC
## Authenticate Service
### Redirect URL
### Authenticate Service URL
- Environmental Variable: `REDIRECT_URL`
- Environmental Variable: `AUTHENTICATE_SERVICE_URL`
- Type: `URL`
- Required
- Example: `https://auth.corp.example.com/oauth2/callback`
- Example: `https://authenticate.corp.example.com`
Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). Note the URL ends with `/oauth2/callback`. This setting will mirror the URL set when configuring your [identity provider]. Typically, on the provider side, this is called an _authorized callback url_.
### Proxy Root Domains
- Environmental Variable: `PROXY_ROOT_DOMAIN`
- Type: `[]string` (e.g. comma separated list of strings)
- Required
Proxy Root Domains specifies the sub-domains that can proxy requests. For example, `httpbin.corp.example.com` would be a valid domain under the proxy root domain `corp.example.com`. If a proxy service attempts to authenticate a user from a non-whitelisted domain, an error will be returned.
Authenticate Service URL is the externally accessible URL for the authenticate service.
### Identity Provider Name
@ -191,7 +183,7 @@ Signing key is the base64 encoded key used to sign outbound requests. For more i
- Environmental Variable: `AUTHENTICATE_SERVICE_URL`
- Type: `URL`
- Required
- Example: `https://auth.corp.example.com`
- Example: `https://authenticate.corp.example.com`
Authenticate Service URL is the externally accessible URL for the authenticate service.
@ -227,7 +219,7 @@ Authorize Internal Service URL is the internally routed dns name of the authoriz
- Environmental Variable: `OVERRIDE_CERTIFICATE_NAME`
- Type: `int`
- Optional (but typically required if Authenticate Internal Service Address is set)
- Example: `*.corp.example.com` if wild card or `authenticate.corp.example.com`
- Example: `*.corp.example.com` if wild card or `authenticate.corp.example.com`/`authorize.corp.example.com`
When Authenticate Internal Service Address is set, secure service communication can fail because the external certificate name will not match the internally routed service url. This setting allows you to override that check.

6
docs/docs/examples/docker/basic.docker-compose.yml
View file

@ -13,18 +13,16 @@ services:
environment:
- POMERIUM_DEBUG=true
- SERVICES=all
- REDIRECT_URL=https://auth.corp.beyondperimeter.com/oauth2/callback
- IDP_PROVIDER=google
- IDP_PROVIDER_URL=https://accounts.google.com
- IDP_CLIENT_ID=REPLACE_ME.apps.googleusercontent.com
- IDP_CLIENT_SECRET=REPLACE_ME
- PROXY_ROOT_DOMAIN=beyondperimeter.com
- SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
- CERTIFICATE_FILE=cert.pem
- CERTIFICATE_KEY_FILE=privkey.pem
- AUTHENTICATE_SERVICE_URL=https://auth.corp.beyondperimeter.com
- AUTHORIZE_SERVICE_URL=https://access.corp.beyondperimeter.com
- AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
- AUTHORIZE_SERVICE_URL=https://authorize.corp.beyondperimeter.com
- POLICY_FILE=./policy.yaml
volumes:
- ./cert.pem:/pomerium/cert.pem:ro

10
docs/docs/examples/docker/nginx.docker-compose.yml
View file

@ -19,18 +19,16 @@ services:
environment:
- POMERIUM_DEBUG=true
- SERVICES=authenticate
- REDIRECT_URL=https://auth.corp.beyondperimeter.com/oauth2/callback
# Identity Provider Settings (Must be changed!)
- IDP_PROVIDER=google
- IDP_PROVIDER_URL=https://accounts.google.com
- IDP_CLIENT_ID=REPLACE_ME.apps.googleusercontent.com
- IDP_CLIENT_SECRET=REPLACE_ME
- PROXY_ROOT_DOMAIN=corp.beyondperimeter.com
- SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
# nginx settings
- VIRTUAL_PROTO=https
- VIRTUAL_HOST=auth.corp.beyondperimeter.com
- VIRTUAL_HOST=authenticate.corp.beyondperimeter.com
- VIRTUAL_PORT=443
volumes:
- ./cert.pem:/pomerium/cert.pem:ro
@ -45,8 +43,8 @@ services:
- POMERIUM_DEBUG=true
- SERVICES=proxy
- POLICY_FILE=policy.yaml
- AUTHENTICATE_SERVICE_URL=https://auth.corp.beyondperimeter.com
- AUTHORIZE_SERVICE_URL=https://access.corp.beyondperimeter.com
- AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
- AUTHORIZE_SERVICE_URL=https://authorize.corp.beyondperimeter.com
# IMPORTANT! If you are running pomerium behind another ingress (loadbalancer/firewall/etc)
# you must tell pomerium proxy how to communicate using an internal hostname for RPC
- AUTHENTICATE_INTERNAL_URL=pomerium-authenticate:443
@ -77,7 +75,7 @@ services:
- SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
# nginx settings
- VIRTUAL_PROTO=https
- VIRTUAL_HOST=access.corp.beyondperimeter.com
- VIRTUAL_HOST=authorize.corp.beyondperimeter.com
- VIRTUAL_PORT=443
volumes:
- ./cert.pem:/pomerium/cert.pem:ro

4
docs/docs/examples/kubernetes/authenticate.deploy.yml
View file

@ -25,16 +25,12 @@ spec:
env:
- name: SERVICES
value: authenticate
- name: REDIRECT_URL
value: https://auth.corp.beyondperimeter.com/oauth2/callback
- name: IDP_PROVIDER
value: google
- name: IDP_PROVIDER_URL
value: https://accounts.google.com
- name: IDP_CLIENT_ID
value: 851877082059-bfgkpj09noog7as3gpc3t7r6n9sjbgs6.apps.googleusercontent.com
- name: PROXY_ROOT_DOMAIN
value: beyondperimeter.com
- name: SHARED_SECRET
valueFrom:
secretKeyRef:

8
docs/docs/examples/kubernetes/ingress.nginx.yml
View file

@ -16,8 +16,8 @@ spec:
- secretName: pomerium-tls
hosts:
- "*.corp.beyondperimeter.com"
- "auth.corp.beyondperimeter.com"
- "access.corp.beyondperimeter.com"
- "authenticate.corp.beyondperimeter.com"
- "authorize.corp.beyondperimeter.com"
rules:
- host: "*.corp.beyondperimeter.com"
@ -28,14 +28,14 @@ spec:
serviceName: pomerium-proxy-service
servicePort: https
- host: "auth.corp.beyondperimeter.com"
- host: "authenticate.corp.beyondperimeter.com"
http:
paths:
- paths:
backend:
serviceName: pomerium-authenticate-service
servicePort: https
- host: "access.corp.beyondperimeter.com"
- host: "authorize.corp.beyondperimeter.com"
http:
paths:
- paths:

8
docs/docs/examples/kubernetes/ingress.yml
View file

@ -12,8 +12,8 @@ spec:
- secretName: pomerium-tls
hosts:
- "*.corp.beyondperimeter.com"
- "auth.corp.beyondperimeter.com"
- "access.corp.beyondperimeter.com"
- "authenticate.corp.beyondperimeter.com"
- "authorize.corp.beyondperimeter.com"
rules:
- host: "*.corp.beyondperimeter.com"
@ -23,14 +23,14 @@ spec:
backend:
serviceName: pomerium-proxy-service
servicePort: https
- host: "auth.corp.beyondperimeter.com"
- host: "authenticate.corp.beyondperimeter.com"
http:
paths:
- paths:
backend:
serviceName: pomerium-authenticate-service
servicePort: https
- host: "access.corp.beyondperimeter.com"
- host: "authorize.corp.beyondperimeter.com"
http:
paths:
- paths:

4
docs/docs/examples/kubernetes/proxy.deploy.yml
View file

@ -26,11 +26,11 @@ spec:
- name: SERVICES
value: proxy
- name: AUTHORIZE_SERVICE_URL
value: https://access.corp.beyondperimeter.com
value: https://authorize.corp.beyondperimeter.com
- name: AUTHORIZE_INTERNAL_URL
value: "pomerium-authorize-service.pomerium.svc.cluster.local"
- name: AUTHENTICATE_SERVICE_URL
value: https://auth.corp.beyondperimeter.com
value: https://authenticate.corp.beyondperimeter.com
- name: AUTHENTICATE_INTERNAL_URL
value: "pomerium-authenticate-service.pomerium.svc.cluster.local"
- name: OVERRIDE_CERTIFICATE_NAME

18
docs/docs/identity-providers.md
View file

@ -14,7 +14,7 @@ There are a few configuration steps required for identity provider integration.
In this guide we'll cover how to do the following for each identity provider:
1. Set a **[Redirect URL]** pointing back to Pomerium.
1. Set a **Redirect URL** pointing back to Pomerium. That is, `https://${AUTHENTICATE_SERVICE_URL}/oauth2/callback`
2. Generate a **[Client ID]** and **[Client Secret]**.
3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys.
@ -69,7 +69,7 @@ Click on **Save** and the key will be displayed. **Make sure to copy the value o
![Creating a Key](./microsoft/azure-create-key.png)
Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://sso-auth.corp.beyondperimeter.com/oauth2/callback`.
Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://authenticate.corp.beyondperimeter.com/oauth2/callback`.
![Add Reply URL](./microsoft/azure-redirect-url.png)
@ -109,7 +109,6 @@ Finally, configure Pomerium with the identity provider settings retrieved in the
```bash
# Azure
REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback"
IDP_PROVIDER="azure"
IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0"
IDP_CLIENT_ID="REPLACE-ME"
@ -133,7 +132,7 @@ On the **Applications** page, add a new application by setting the following par
Field | Description
------------ | --------------------------------------------------------------------
Name | The name of your web app
Redirect URI | [Redirect URL] (e.g.`https://auth.corp.example.com/oauth2/callback`)
Redirect URI | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`)
Scopes | **Must** select **read_user** and **openid**
![Create New Credentials](./gitlab/gitlab-create-application.png)
@ -147,7 +146,6 @@ Your [Client ID] and [Client Secret] will be displayed:
Set [Client ID] and [Client Secret] in Pomerium's settings. Your [environmental variables] should look something like this.
```bash
REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback"
IDP_PROVIDER="gitlab"
# NOTE!!! Provider url is optional, but should be set if you are running an on-premise instance
# defaults to : https://gitlab.com, a local copy would look something like `http://gitlab.corp.beyondperimeter.com`
@ -175,7 +173,7 @@ On the **Create [Client ID]** page, select **Web application**. In the new field
Field | Description
------------------------ | --------------------------------------------------------------------
Name | The name of your web app
Authorized redirect URIs | [Redirect URL] (e.g.`https://auth.corp.example.com/oauth2/callback`)
Authorized redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`)
![Web App Credentials Configuration](./google/google-create-client-id-config.png)
@ -229,7 +227,6 @@ Next we'll delegate G-suite group membership access to the service account we ju
Your [environmental variables] should look something like this.
```bash
REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback"
IDP_PROVIDER="google"
IDP_PROVIDER_URL="https://accounts.google.com"
IDP_CLIENT_ID="yyyy.apps.googleusercontent.com"
@ -253,7 +250,7 @@ Field | Description
---------------------------- | ---------------------------------------------------------------------
Name | The name of your application.
Base URIs (optional) | The domain(s) of your application.
Login redirect URIs | [Redirect URL] (e.g.`https://auth.corp.example.com/oauth2/callback`).
Login redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`).
Group assignments (optional) | The user groups that can sign in to this application.
Grant type allowed | **You must enable Refresh Token.**
@ -296,7 +293,6 @@ Include in | Any scope
Finally, configure Pomerium with the identity provider settings retrieved in the pervious steps. Your [environmental variables] should look something like this.
```bash
REDIRECT_URL="https://sso-auth.corp.beyondperimeter.com/oauth2/callback"
IDP_PROVIDER="okta"
IDP_PROVIDER_URL="https://dev-108295-admin.oktapreview.com/"
IDP_CLIENT_ID="0oairksnr0C0fEJ7l0h7"
@ -319,7 +315,7 @@ On the App Configuration page, **name the app** and **select a logo**. Select **
![One Login select logo](./one-login/one-login-select-logo.png)
Next, set set the **Redirect URI's** setting to be Pomerium's [redirect url].
Next, set set the **Redirect URI's** setting to be Pomerium's redirect url `https://${AUTHENTICATE_SERVICE_URL}/oauth2/callback`.
![One Login set callback url](./one-login/one-login-callback-url.png)
@ -345,7 +341,6 @@ To return the user's Active Directory field, configure the group to return `memb
Finally, configure Pomerium with the identity provider settings retrieved in the pervious steps. Your [environmental variables] should look something like this.
```bash
REDIRECT_URL="https://auth.corp.beyondperimeter.com/oauth2/callback"
IDP_PROVIDER="onelogin"
IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc"
IDP_CLIENT_ID="9e613ce0-1622-0137-452d-0a93c31f8392142934"
@ -361,4 +356,3 @@ After reloading Pomerium, you should be able to see any login events from your O
[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
[oauth2]: https://oauth.net/2/
[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect
[redirect url]: ./config-reference.html#redirect-url