3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-12 08:37:38 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: update references, remove docs dir (#3420)

Browse source 
* docs: update references, remove docs dir

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* Update README.md

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* Update Docs Paths

* precommit

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* remove spellcheck

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* spell the check

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
This commit is contained in:
bobby 2022-06-13 16:52:52 -07:00 committed by GitHub
parent fc116b83d3
commit ebbb6a7ff2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
318 changed files with 20 additions and 32969 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/CODEOWNERS vendored
View file

@ -1,3 +1 @@
* @pomerium/dev-backend
/docs/ @ghost
/package.json @pomerium/docs @pomerium/dev

3
.github/workflows/test.yaml vendored
View file

@ -49,9 +49,6 @@ jobs:
- name: Lint
if: runner.os == 'Linux'
run: make lint
- name: spellcheck
if: runner.os == 'Linux'
run: make spellcheck
- name: test
if: runner.os != 'Linux'
run: make test

19
Makefile
View file

@ -35,7 +35,7 @@ GETENVOY_VERSION = v0.2.0
GORELEASER_VERSION = v0.174.2
.PHONY: all
all: clean build-deps test lint spellcheck build ## Runs a clean, build, fmt, lint, test, and vet.
all: clean build-deps test lint build ## Runs a clean, build, fmt, lint, test, and vet.
.PHONY: generate-mocks
@ -61,11 +61,6 @@ deps-release: get-envoy ## Install release dependencies
build-deps: deps-build deps-release
@echo "==> $@"
.PHONY: docs
docs: ## Start the vuepress docs development server
@echo "==> $@"
@yarn && yarn docs:dev
.PHONY: tag
tag: ## Create a new git tag to prepare to build a release
git tag -sa $(VERSION) -m "$(VERSION)"
@ -105,11 +100,6 @@ test: get-envoy ## Runs the go tests.
@echo "==> $@"
@$(GO) test -tags "$(BUILDTAGS)" $(shell $(GO) list ./... | grep -v vendor | grep -v github.com/pomerium/pomerium/integration)
.PHONY: spellcheck
spellcheck: # Spellcheck docs
@echo "==> Spell checking docs..."
@$(GO) run github.com/client9/misspell/cmd/misspell -error -source=text docs/
.PHONY: cover
cover: get-envoy ## Runs go test with coverage
@echo "==> $@"
@ -138,13 +128,6 @@ yarn:
@echo "==> $@"
cd ui ; yarn install --network-timeout 120000
.PHONY: gen-docs
gen-docs:
@echo "==> $@"
pip3 install ruamel.yaml
python3 ./scripts/generate-settings-docs.py
node scripts/generate-console-pages.js
.PHONY: help
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

4
README.md
View file

@ -1,4 +1,4 @@
<a href="https://pomerium.io" title="Pomerium is a zero trust, context and identity aware access proxy."><img src="https://www.pomerium.com/wp-content/uploads/2021/08/Pomerium-H-white-bg.png" height="70" alt="pomerium logo"></a>
<a href="https://pomerium.com" title="Pomerium is a zero trust, context and identity aware access proxy."><img src="https://www.pomerium.com/wp-content/uploads/2021/08/Pomerium-H-white-bg.png" height="70" alt="pomerium logo"></a>
[![pomerium chat](https://img.shields.io/badge/chat-on%20slack-blue.svg?style=flat&logo=slack)](http://slack.pomerium.io)
[![GitHub Actions](https://img.shields.io/github/workflow/status/pomerium/pomerium/Release?style=flat)](https://github.com/pomerium/pomerium/actions?query=workflow%3ARelease)
@ -23,7 +23,7 @@ For comprehensive docs, and tutorials see our [documentation].
[documentation]: https://pomerium.com/docs/
[go environment]: https://golang.org/doc/install
[godocs]: https://godoc.org/github.com/pomerium/pomerium
[quick start guide]: https://www.pomerium.io/guide/
[quick start guide]: https://www.pomerium.com/docs/install/quickstart
## Integration Tests

4
config/options.go
View file

@ -40,7 +40,7 @@ import (
const DisableHeaderKey = "disable"
const (
idpCustomScopesDocLink = "https://www.pomerium.io/reference/#identity-provider-scopes"
idpCustomScopesDocLink = "https://www.pomerium.com/docs/reference/identity-provider-scopes"
idpCustomScopesWarnMsg = "config: using custom scopes may result in undefined behavior, see: " + idpCustomScopesDocLink
)
@ -172,7 +172,7 @@ type Options struct {
CAFile string `mapstructure:"certificate_authority_file" yaml:"certificate_authority_file,omitempty"`
// SigningKey is the private key used to add a JWT-signature to upstream requests.
// https://www.pomerium.io/docs/topics/getting-users-identity.html
// https://www.pomerium.com/docs/topics/getting-users-identity.html
SigningKey string `mapstructure:"signing_key" yaml:"signing_key,omitempty"`
HeadersEnv string `yaml:",omitempty"`

61
docs/.vuepress/components/Newsletter.vue
View file

@ -1,61 +0,0 @@
<template>
<SimpleNewsletter v-slot="{ slotProps }">
<div class="newsletter__wrap">
<div class="my-title">{{ slotProps.title }}</div>
<div class="my-content">{{ slotProps.content }}</div>
<input
class="my-input"
type="email"
name="email"
aria-label="Email"
placeholder="Email"
v-model="slotProps.mail"
required
autocapitalize="off"
autocorrect="off"
data-cy="email"
/>
<button type="submit" class="my-button" data-cy="submit">
{{ slotProps.submitText }}
</button>
</div>
</SimpleNewsletter>
</template>
<style>
.my-title {
font-size: 1.7rem;
display: block;
text-align: center;
}
.my-content {
margin-top: 1.5rem;
margin-bottom: 1.5rem;
line-height: 1.7rem;
}
.my-input {
font-size: inherit;
border: 1px solid #e8e8fb;
padding: 0.6rem 1.2rem;
box-sizing: border-box;
border-radius: 3px;
margin-bottom: 0.8rem;
outline: none;
}
.my-button {
font-size: inherit;
border: none;
cursor: pointer;
background: #6f43e7;
color: #fff;
padding: 0.6rem 1.8rem;
box-sizing: border-box;
border-radius: 3px;
outline: none;
}
</style>

17
docs/.vuepress/components/Redirect.vue
View file

@ -1,17 +0,0 @@
<template> </template>
<script>
/** Redirects to the given 'to' url, which is relative to the current location. */
export default {
name: "Redirect",
props: {
to: {
type: String,
required: true,
},
},
beforeMount() {
document.location.replace(this.to);
},
};
</script>

352
docs/.vuepress/config.js
View file

@ -1,352 +0,0 @@
// .vuepress/config.js
module.exports = {
title: "Pomerium",
description:
"Pomerium is a beyond-corp inspired, zero trust, open source identity-aware access proxy.",
plugins: [
"vuepress-plugin-element-tabs",
"vuepress-plugin-mermaidjs",
["vuepress-plugin-code-copy", true],
[
"vuepress-plugin-mailchimp",
{
endpoint: "https://pomerium.us19.list-manage.com/subscribe/post?u=76f0996a737c138396687fd6b&amp;id=2f4f70cf07",
title: "Pomerium Newsletter",
content: "Updates on Pomerium and related security news.",
submitText: "Subscribe"
}
],
[
"check-md",
{
pattern: "**/*.md",
},
],
[
"sitemap",
{
hostname: "https://www.pomerium.com",
outFile: "docs/sitemap.xml",
exclude: [
'/partials/generate-recovery-token.html',
'/partials/install-mkcert.html',
'/tcp/service-template.html',
],
},
],
[
"@vuepress/google-analytics",
{
ga: "UA-129872447-2",
},
],
[
'@limdongjin/vuepress-plugin-simple-seo',
{
root_url: 'https://www.pomerium.com/',
default_site_name: 'Pomerium Documentation',
default_twitter_site: '@pomerium_io',
default_twitter_creator: '@pomerium_io',
default_image: 'img/pomerium-icon-1.png',
default_twitter_card: 'summary',
},
],
],
markdown: {
externalLinkSymbol: false,
extendMarkdown: (md) => {
md.use(require("markdown-it-include"), {
root: "./docs/partials/",
});
},
},
themeConfig: {
home: false,
activeHeaderLinks: false,
logo: "/img/logo_white.svg",
repo: "pomerium/pomerium",
editLinks: true,
docsDir: "docs",
editLinkText: "Edit this page on GitHub",
lastUpdated: "Last Updated",
nav: [
{ text: "Documentation", link: "/docs/" },
{ text: "Reference", link: "/reference/" },
{ text: "Guides", link: "/guides/" },
{
text: "Enterprise",
link: "/enterprise/about/",
},
{
text: "v0.17.x", // current tagged version
ariaLabel: "Version menu",
items: [
{ text: "🚧Dev", link: "https://main.docs.pomerium.io/docs" },
{ text: "v0.17.x", link: "https://0-17-0.docs.pomerium.io/docs" },
{ text: "v0.16.x", link: "https://0-16-0.docs.pomerium.io/docs" },
{ text: "v0.15.x", link: "https://0-15-0.docs.pomerium.io/docs" },
{ text: "v0.14.x", link: "https://0-14-0.docs.pomerium.io/docs" },
{ text: "v0.13.x", link: "https://0-13-0.docs.pomerium.io/docs" },
{ text: "v0.12.x", link: "https://0-12-0.docs.pomerium.io/docs" },
{ text: "v0.11.x", link: "https://0-11-0.docs.pomerium.io/docs" },
{ text: "v0.10.x", link: "https://0-10-0.docs.pomerium.io/docs" },
{ text: "v0.9.x", link: "https://0-9-0.docs.pomerium.io/docs" },
{ text: "v0.8.x", link: "https://0-8-0.docs.pomerium.io/docs" },
{ text: "v0.7.x", link: "https://0-7-0.docs.pomerium.io/docs" },
{ text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" },
{ text: "v0.5.x", link: "https://0-5-0.docs.pomerium.io/docs" },
{ text: "v0.4.x", link: "https://0-4-0.docs.pomerium.io/docs" },
{ text: "v0.3.x", link: "https://0-3-0.docs.pomerium.io/docs" },
{ text: "v0.2.x", link: "https://0-2-0.docs.pomerium.io/docs" },
{ text: "v0.1.x", link: "https://0-1-0.docs.pomerium.io/docs" },
],
},
],
algolia: {
apiKey: "1653e881f3a6c17d3ad37f4d4c428e20",
indexName: "pomerium",
},
sidebar: {
"/docs/": [
{
title: "Overview",
type: "group",
collapsable: false,
sidebarDepth: 0,
children: [
"",
"glossary",
"releases",
"architecture",
"background",
"troubleshooting",
"upgrading",
"CHANGELOG",
],
},
{
title: "Install",
collapsable: false,
path: "/docs/install/",
type: "group",
sidebarDepth: 0,
children: [
"install/",
["k8s/helm", "Kubernetes"],
"install/binary",
"install/from-source",
],
},
{
title: "Identity Providers",
collapsable: true,
path: "/docs/identity-providers/",
type: "group",
sidebarDepth: 0,
initialOpenGroupIndex: 0,
children: [
"identity-providers/",
"identity-providers/auth0",
"identity-providers/azure",
"identity-providers/cognito",
"identity-providers/github",
"identity-providers/gitlab",
"identity-providers/google",
"identity-providers/okta",
"identity-providers/one-login",
"identity-providers/ping",
],
},
{
title: "Production",
collapsable: true,
type: "group",
children: [
"/docs/security",
"/docs/production-deployment",
]
},
{
title: "TCP Connections",
collapsable: false,
path: "/docs/tcp/",
type: "group",
sidebarDepth: 1,
children: [
"tcp/",
"tcp/client",
{
title: "Examples",
collapsable: true,
type: "group",
sidebarDepth: 0,
children: [
"tcp/git",
"tcp/ms-sql",
"tcp/mysql",
"tcp/rdp",
"tcp/redis",
"tcp/ssh",
],
},
],
},
{
title: "Kubernetes",
collapsable: false,
path: "/docs/k8s/",
type: "group",
sidebarDepth: 0,
children: [
"k8s/",
"k8s/helm",
"k8s/ingress",
]
},
{
title: "Topics",
collapsable: false,
path: "/docs/topics/",
type: "group",
sidebarDepth: 0,
children: [
"topics/certificates",
"topics/data-storage",
"topics/device-identity",
"topics/getting-users-identity",
"topics/original-request-context",
"topics/mutual-auth",
"topics/ppl",
"topics/programmatic-access",
"topics/single-sign-out",
"topics/load-balancing",
],
},
{
title: "Community",
collapsable: false,
path: "/docs/community/",
type: "group",
sidebarDepth: 0,
children: [
"community/",
"community/contributing",
"community/code-of-conduct",
"community/security",
],
},
],
"/guides/": [
{
title: "Guides",
type: "group",
collapsable: false,
sidebarDepth: 1,
children: [
"",
"ad-guard",
"argo",
"cloud-run",
"mtls",
"cockpit",
"code-server",
"admin-enroll-device",
"enroll-device",
"grafana",
"gitlab",
"istio",
"jwt-verification",
"kubernetes",
"kubernetes-dashboard",
"local-oidc",
"nginx",
"synology",
"tcp",
"tiddlywiki",
"traefik-ingress",
"transmission",
"upstream-mtls",
],
},
],
"/reference/": [
{
title: "",
type: "group",
collapsable: false,
sidebarDepth: 1,
children: [""],
},
],
"/enterprise/": [
{
title: "Enterprise",
type: "group",
collapsable: false,
sidebarDepth: 2,
children: [
"about",
"concepts",
{
title: "Install",
type: "group",
collapsable: false,
path: "/enterprise/install/",
sidebarDepth: 2,
children: [
"/enterprise/install/quickstart",
"/enterprise/install/helm",
],
},
"metrics",
{
title: "Reference",
type: "group",
collapsable: false,
path: "/enterprise/reference/configure",
sidebarDepth: 2,
children: [
"/enterprise/reference/config.md",
"/enterprise/reference/reports",
"/enterprise/reference/manage",
"/enterprise/reference/configure",
],
},
"api",
"upgrading",
"changelog",
],
},
],
},
},
head: [
//Hack: Make clicking on the logo go to home url
[
"script",
{},
`
const logoUrlChanger = setInterval(function() {
//Anchor above the logo image
const homeEls = document.getElementsByClassName("home-link");
if(homeEls.length > 0) {
const homeEl = homeEls[0];
homeEl.setAttribute("href", "https://www.pomerium.com");
homeEl.setAttribute("onclick", "document.location='https://www.pomerium.com';return false;");
clearInterval(logoUrlChanger);
}
//Actual logo image
const logoEls = document.getElementsByClassName("logo")
if(logoEls.length > 0) {
const logoEl = logoEls[0]
logoEl.setAttribute("onclick", "document.location='https://www.pomerium.com';return false;");
clearInterval(logoUrlChanger);
}
}, 1000)
`,
],
],
};

18
docs/.vuepress/enhanceApp.js
View file

@ -1,18 +0,0 @@
export default ({ router }) => {
if(typeof process === 'undefined' || process.env.VUE_ENV !== 'server') {
router.onReady(() => {
const { app } = router;
app.$once("hook:mounted", () => {
setTimeout(() => {
const { hash } = document.location;
if (hash.length > 1) {
const id = decodeURIComponent(hash.substring(1));
const element = document.getElementById(id);
if (element) element.scrollIntoView();
}
}, 500);
});
});
}
}

74
docs/.vuepress/public/_redirects
View file

@ -1,74 +0,0 @@
/docs/reference/reference /configuration/
/docs/reference/reference.html /configuration/
/docs/configuration/ /configuration/
/docs/config-reference.html /configuration/
/configuration/ /reference/
/community/ /docs/community/
/community/index.html /docs/community/
/community/contributing /docs/community/contributing.html
/community/contributing.html /docs/community/contributing.html
/community/code-of-conduct /docs/community/code-of-conduct.html
/community/code-of-conduct.html /docs/community/code-of-conduct.html
/community/security /docs/community/security.html
/community/security.html /docs/community/security.html
/guide/ /docs/quick-start/
/guide/kubernetes.html /docs/quick-start/kubernetes.html
/guide/kubernetes /docs/quick-start/kubernetes.html
/guide/synology /docs/quick-start/synology.html
/guide/synology.html /docs/quick-start/synology.html
/docs/examples.html /recipes/
/docs/examples /recipes/
/recipes/ /guides/
/recipes/ad-guard.html /guides/ad-guard.html
/recipes/argo.html /guides/argo.html
/recipes/cloud-run.html /guides/cloud-run.html
/recipes/istio.html /guides/istio.html
/recipes/kubernetes.html /guides/kubernetes.html
/recipes/local-oidc.html /guides/local-oidc.html
/recipes/mtls.html /guides/mtls.html
/recipes/vs-code-server.html /guides/code-server.html
/guides/vs-code-server.html /guides/code-server.html
/docs/reference/ /docs/topics/
/docs/reference/readme.html /docs/topics/readme.html
/docs/reference/certificates.html /docs/topics/certificates.html
/docs/reference/data-storage.html /docs/topics/data-storage.html
/docs/reference/getting-users-identity.html /docs/topics/getting-users-identity.html
/docs/reference/production-deployment.html /docs/topics/production-deployment.html
/docs/reference/programmatic-access.html /docs/topics/programmatic-access.html
/docs/reference/examples.html /configuration/examples.html
/posts/2020/06/01/release-0-9/ /blog/posts-2020-06-01-release-0-9/
/posts/2020/05/11/release-0-8/ /blog/announcing-pomerium-0-8/
/posts/2020/04/16/release-0-7/ /blog/announcing-pomerium-0-7/
/jobs/ /careers/
/jobs/Frontend-Engineer.html /careers/frontend-engineer/
/jobs/Backend-Engineer.html /careers/backend-engineer/
/enterprise/ /
/enterprise/service-accounts/ /enterprise/reference/configure.html#service-accounts
/enter[rise/service-accounts /enterprise/reference/configure.html#service-accounts
/enterprise/service-accounts.html /enterprise/reference/configure.html#service-accounts
/enterprise/prometheus.html /enterprise/metrics.html
/docs/installation.html /
/docs/installation /docs/install
/docs/quick-start /docs/install
/docs/quick-start/binary.html /docs/install/binary.html
/docs/quick-start/helm.html /docs/install/helm.html
/docs/quick-start/from-source.html /docs/install/from-source.html
/docs/quick-start/synology.html /docs/guides/synology.html
/docs/client.html /docs/tcp/client.html
/docs/topics/tcp-support.html /docs/tcp/
/docs/install/helm.html /docs/k8s/helm.html
/docs/topics/kubernetes-integration.html /docs/k8s/
/docs/FAQ.html /docs/troubleshooting.html

BIN
docs/.vuepress/public/favicon.ico
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 15 KiB

1
docs/.vuepress/public/img/icon.svg
View file

@ -1 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 188.48 188.48"><defs><style>.cls-1{fill:#6f43e7;}.cls-2,.cls-3{fill:#fff;fill-rule:evenodd;}.cls-2{opacity:0.4;}</style></defs><g id="Layer_2" data-name="Layer 2"><g id="Capa_1" data-name="Capa 1"><rect class="cls-1" width="188.48" height="188.48"/><path class="cls-2" d="M155.6,49.17l6.7,2.09V63.39C151.72,64.86,143.92,73,143.92,84v55.3l-6.9-.15-.14-.31-13.15-.28V81.92A16.41,16.41,0,0,0,116,67.81l-.27.19a14.57,14.57,0,0,0-5.43.6C102,71,96.88,78.09,96.88,87.07v51.22l-6.82-.15-.3-.31-11.17-.24V84.92a16,16,0,0,0-6.43-13l-.24.2-.07,0c-9-.36-15.73,7.83-15.73,17.66v47.69l-6.83-.15L49,137l-7.69-.16V62.23l22.2-2.47,91.75-10.25.07-.31Z"/><path class="cls-3" d="M26.17,63.62,63.5,59.45l92.1-10.28V61.3c-10.28,1.19-18.39,10-18.39,19.7v58.16l-13.78-.3V81.92c0-9.69-7.78-16.88-17.06-16-9,.85-16.2,9-16.2,18.22v54l-11.88-.25v-53c0-9-6.75-15.74-14.77-15h0c-7.82.74-14.09,8.33-14.09,16.91v50.42L39,137q0-12.31,0-24.65V87.53c0-8.39-5.86-14.7-12.88-14.1Z"/></g></g></svg>
Side by side

Before

Width:  |  Height:  |  Size: 1,013 B

BIN
docs/.vuepress/public/img/logo-long-civez.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.3 KiB

BIN
docs/.vuepress/public/img/logo-long-white-civez.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.3 KiB

1
docs/.vuepress/public/img/logo-long-white.svg
View file

@ -1 +0,0 @@
<svg viewBox="0 0 1119.78 278.43" xmlns="http://www.w3.org/2000/svg"><g fill="#fff" transform="translate(-76.61 -191.46)"><path d="m453.81 236.69a29.54 29.54 0 0 1 -2.81 12.83q-5.16 11.11-18.16 15.5a24.7 24.7 0 0 1 -7.82 1.57 36.4 36.4 0 0 1 -16.75-3.6v-1.57a30.48 30.48 0 0 0 21.13-2.5q8.61-4.38 11.74-14.41a20.53 20.53 0 0 0 .94-5.94v-3.45q-.31-11-5.79-17.45t-15.34-6.5h-18v93.45a10.05 10.05 0 0 0 3.05 7 9.49 9.49 0 0 0 7 2.89h2v1.57h-34.29v-1.57h2a9.49 9.49 0 0 0 7-2.89 10.05 10.05 0 0 0 3.05-7v-87.5a10.16 10.16 0 0 0 -3.28-6.49 9.61 9.61 0 0 0 -6.74-2.59h-1.87l-.16-1.56h40.85q15 0 23.64 8.06t8.61 22.15z"/><path d="m493.73 226.12a60 60 0 0 1 53.06 0 48.42 48.42 0 0 1 19.21 17.46 49.2 49.2 0 0 1 0 51 48.34 48.34 0 0 1 -19.17 17.46 53.62 53.62 0 0 1 -24.73 6.18 64.2 64.2 0 0 1 -22.39-3.6 51.55 51.55 0 0 1 -16.82-10 46.19 46.19 0 0 1 -11.31-15.62q-4.15-9.24-4.15-21.68a43.65 43.65 0 0 1 7.12-23.71 48.38 48.38 0 0 1 19.18-17.49zm-2.9 75q11.82 12.45 29.35 12.44a39.06 39.06 0 0 0 29.43-12.44q11.89-12.45 11.89-32t-11.89-32a39.06 39.06 0 0 0 -29.43-12.44q-17.53 0-29.35 12.44t-11.82 32q-.01 19.54 11.82 31.98z"/><path d="m713.18 314.48h2.35v1.57h-32.53v-1.41h2.35a5.71 5.71 0 0 0 4.15-1.8 4.94 4.94 0 0 0 1.48-4.3l-8.17-64.54-29.58 58.23q-4.38 9.56-5.48 16h-1.56l-37.73-72.79-7 63.09a4.92 4.92 0 0 0 1.48 4.22 5.78 5.78 0 0 0 4.31 1.88h2.19v1.41h-29v-1.57h2.35a10.42 10.42 0 0 0 8.77-4.07 9.51 9.51 0 0 0 1.87-4.85l12.21-85.62h1.57l41.32 79.52 39.92-79.52h1.41l12.68 85.93a9.58 9.58 0 0 0 3.6 6.27 11 11 0 0 0 7.04 2.35z"/><path d="m727.42 314.48a8.89 8.89 0 0 0 6.34-2.42 8.31 8.31 0 0 0 2.74-5.87v-74.35a7.45 7.45 0 0 0 -2.66-5.8 9.39 9.39 0 0 0 -6.42-2.34h-2.19v-1.57h45.71a59.57 59.57 0 0 0 11.27-.94 37 37 0 0 0 6.26-1.56v17.84l-1.72-.16v-2.31a8 8 0 0 0 -2.19-5.64 7.42 7.42 0 0 0 -5.64-2.35h-32.56v39.76h26.77a6 6 0 0 0 4.77-1.88 6.84 6.84 0 0 0 1.65-4.69v-2h1.72v21.92h-1.72v-2q0-4.38-3.29-5.95a11 11 0 0 0 -2.66-.62h-27.24v39.65h24.58a26.59 26.59 0 0 0 12.13-2.51 21 21 0 0 0 7.51-5.95 53.55 53.55 0 0 0 5.25-9.07h1.56l-8.61 22.38h-63.55v-1.57z"/><path d="m838.4 227h-8.29v79a8.37 8.37 0 0 0 4.38 7.36 9.4 9.4 0 0 0 4.54 1.09h2l.16 1.57h-32.06v-1.57h2.19a8.69 8.69 0 0 0 6.18-2.42 7.75 7.75 0 0 0 2.59-5.87v-74.32a7.52 7.52 0 0 0 -2.59-5.8 8.88 8.88 0 0 0 -6.18-2.34h-2.19v-1.57h39.29q14.72 0 23.24 6.73a21.46 21.46 0 0 1 8.54 17.69q0 10.95-6.89 18.31a27 27 0 0 1 -17.53 8.46q5 2.19 12.05 12.21-.17 0 5.4 6.88t8.92 10.73c2.24 2.55 4.1 4.51 5.56 5.86a18.76 18.76 0 0 0 13.3 5.48v1.57h-4.85q-12.36 0-19.41-4.85a45.75 45.75 0 0 1 -9.7-8.93q-.94-1.25-7.91-11t-7.43-10.41q-8.46-10.49-15.81-10.49v-1.56q18.32 0 22.07-1.88c3.44-1.78 5.79-3.65 7-5.64a25.44 25.44 0 0 0 3.91-13.77q0-9.56-5.63-14.72t-15.18-5.63c-2.78-.17-6.02-.17-9.67-.17z"/><path d="m909.47 314.48a11.42 11.42 0 0 0 7.35-2.5 7.42 7.42 0 0 0 3.13-6v-73.83a7.42 7.42 0 0 0 -3.13-6 11.65 11.65 0 0 0 -7.51-2.5h-2v-1.57h35.37v1.57h-2a11.6 11.6 0 0 0 -7.28 2.34 8.05 8.05 0 0 0 -3.37 5.8v74.35a7.72 7.72 0 0 0 3.29 5.87 11.65 11.65 0 0 0 7.36 2.42h2l.16 1.57h-35.56v-1.57z"/><path d="m1055.35 223.7h-2.35a7.22 7.22 0 0 0 -6.41 3.28 6.78 6.78 0 0 0 -1.1 3.29v52.73q0 16.29-10.41 25.75t-28.57 9.47q-18.15 0-28.64-9.39t-10.49-25.67v-52.73a6.18 6.18 0 0 0 -2.19-4.78 7.71 7.71 0 0 0 -5.32-2h-2.35v-1.57h29.74v1.57h-2.35a7.73 7.73 0 0 0 -5.32 2 6.18 6.18 0 0 0 -2.19 4.78v50.87q0 15.18 7.75 23.95t21.91 8.76q14.18 0 22.7-8.29t8.53-22.7v-52.59a6.71 6.71 0 0 0 -2.27-4.86 7.61 7.61 0 0 0 -5.24-1.87h-2.35v-1.57h26.92z"/><path d="m1194 314.48h2.35v1.57h-32.56v-1.41h2.35a5.69 5.69 0 0 0 4.14-1.8 4.92 4.92 0 0 0 1.49-4.3l-8.14-64.5-29.58 58.23q-4.38 9.56-5.48 16h-1.57l-37.72-72.79-7 63.09a4.92 4.92 0 0 0 1.48 4.22 5.78 5.78 0 0 0 4.31 1.88h2.19v1.41h-29v-1.57h2.35a10.42 10.42 0 0 0 8.77-4.07 9.51 9.51 0 0 0 1.87-4.85l12.21-85.62h1.57l41.32 79.52 39.92-79.52h1.41l12.67 85.93a9.63 9.63 0 0 0 3.61 6.27 11 11 0 0 0 7.04 2.31z"/><path d="m682.75 341.8v-.08s0 .05 0 .08z"/><path d="m682.74 367.33v.09s0-.06 0-.09z"/><path d="m682.75 393s0 0 0 0z"/><path d="m682.74 418.57v.09s0-.06 0-.09z"/><path d="m337.76 215.82a24.36 24.36 0 0 0 -24.36-24.36h-212.4a24.36 24.36 0 0 0 -24.36 24.36v100.37h16.8v-28a34.11 34.11 0 1 1 68.21 0v28h12.18v-28a34.11 34.11 0 1 1 68.21 0v28h12.18v-28a34.1 34.1 0 1 1 68.2 0v28h15.33zm-244.32 25.31a34.11 34.11 0 1 1 68.21 0zm80.39 0a34.11 34.11 0 1 1 68.21 0zm80.39 0a34.11 34.11 0 1 1 68.21 0z"/><path d="m682.74 444.19v.08s0 0 0-.08z"/><path d="m682.75 469.89v-.09s0 .06 0 .09z"/></g></svg>
Side by side

Before

Width:  |  Height:  |  Size: 4.4 KiB

1
docs/.vuepress/public/img/logo-long.svg
View file

@ -1 +0,0 @@
<svg viewBox="0 0 1119.78 126.78" xmlns="http://www.w3.org/2000/svg"><g fill="#6e43e8" transform="translate(-76.61 -191.46)"><path d="m453.81 236.69a29.54 29.54 0 0 1 -2.81 12.83q-5.16 11.11-18.16 15.5a24.7 24.7 0 0 1 -7.82 1.57 36.4 36.4 0 0 1 -16.75-3.6v-1.57a30.48 30.48 0 0 0 21.13-2.5q8.61-4.38 11.74-14.41a20.53 20.53 0 0 0 .94-5.94v-3.45q-.31-11-5.79-17.45t-15.34-6.5h-18v93.45a10.05 10.05 0 0 0 3.05 7 9.49 9.49 0 0 0 7 2.89h2v1.57h-34.29v-1.57h2a9.49 9.49 0 0 0 7-2.89 10.05 10.05 0 0 0 3.05-7v-87.5a10.16 10.16 0 0 0 -3.28-6.49 9.61 9.61 0 0 0 -6.74-2.59h-1.87l-.16-1.56h40.85q15 0 23.64 8.06t8.61 22.15z"/><path d="m493.73 226.12a60 60 0 0 1 53.06 0 48.42 48.42 0 0 1 19.21 17.46 49.2 49.2 0 0 1 0 51 48.34 48.34 0 0 1 -19.17 17.46 53.62 53.62 0 0 1 -24.73 6.18 64.2 64.2 0 0 1 -22.39-3.6 51.55 51.55 0 0 1 -16.82-10 46.19 46.19 0 0 1 -11.31-15.62q-4.15-9.24-4.15-21.68a43.65 43.65 0 0 1 7.12-23.71 48.38 48.38 0 0 1 19.18-17.49zm-2.9 75q11.82 12.45 29.35 12.44a39.06 39.06 0 0 0 29.43-12.44q11.89-12.45 11.89-32t-11.89-32a39.06 39.06 0 0 0 -29.43-12.44q-17.53 0-29.35 12.44t-11.82 32q-.01 19.54 11.82 31.98z"/><path d="m713.18 314.48h2.35v1.57h-32.53v-1.41h2.35a5.71 5.71 0 0 0 4.15-1.8 4.94 4.94 0 0 0 1.48-4.3l-8.17-64.54-29.58 58.23q-4.38 9.56-5.48 16h-1.56l-37.73-72.79-7 63.09a4.92 4.92 0 0 0 1.48 4.22 5.78 5.78 0 0 0 4.31 1.88h2.19v1.41h-29v-1.57h2.35a10.42 10.42 0 0 0 8.77-4.07 9.51 9.51 0 0 0 1.87-4.85l12.21-85.62h1.57l41.32 79.52 39.92-79.52h1.41l12.68 85.93a9.58 9.58 0 0 0 3.6 6.27 11 11 0 0 0 7.04 2.35z"/><path d="m727.42 314.48a8.89 8.89 0 0 0 6.34-2.42 8.31 8.31 0 0 0 2.74-5.87v-74.35a7.45 7.45 0 0 0 -2.66-5.8 9.39 9.39 0 0 0 -6.42-2.34h-2.19v-1.57h45.71a59.57 59.57 0 0 0 11.27-.94 37 37 0 0 0 6.26-1.56v17.84l-1.72-.16v-2.31a8 8 0 0 0 -2.19-5.64 7.42 7.42 0 0 0 -5.64-2.35h-32.56v39.76h26.77a6 6 0 0 0 4.77-1.88 6.84 6.84 0 0 0 1.65-4.69v-2h1.72v21.92h-1.72v-2q0-4.38-3.29-5.95a11 11 0 0 0 -2.66-.62h-27.24v39.65h24.58a26.59 26.59 0 0 0 12.13-2.51 21 21 0 0 0 7.51-5.95 53.55 53.55 0 0 0 5.25-9.07h1.56l-8.61 22.38h-63.55v-1.57z"/><path d="m838.4 227h-8.29v79a8.37 8.37 0 0 0 4.38 7.36 9.4 9.4 0 0 0 4.54 1.09h2l.16 1.57h-32.06v-1.57h2.19a8.69 8.69 0 0 0 6.18-2.42 7.75 7.75 0 0 0 2.59-5.87v-74.32a7.52 7.52 0 0 0 -2.59-5.8 8.88 8.88 0 0 0 -6.18-2.34h-2.19v-1.57h39.29q14.72 0 23.24 6.73a21.46 21.46 0 0 1 8.54 17.69q0 10.95-6.89 18.31a27 27 0 0 1 -17.53 8.46q5 2.19 12.05 12.21-.17 0 5.4 6.88t8.92 10.73c2.24 2.55 4.1 4.51 5.56 5.86a18.76 18.76 0 0 0 13.3 5.48v1.57h-4.85q-12.36 0-19.41-4.85a45.75 45.75 0 0 1 -9.7-8.93q-.94-1.25-7.91-11t-7.43-10.41q-8.46-10.49-15.81-10.49v-1.56q18.32 0 22.07-1.88c3.44-1.78 5.79-3.65 7-5.64a25.44 25.44 0 0 0 3.91-13.77q0-9.56-5.63-14.72t-15.18-5.63c-2.78-.17-6.02-.17-9.67-.17z"/><path d="m909.47 314.48a11.42 11.42 0 0 0 7.35-2.5 7.42 7.42 0 0 0 3.13-6v-73.83a7.42 7.42 0 0 0 -3.13-6 11.65 11.65 0 0 0 -7.51-2.5h-2v-1.57h35.37v1.57h-2a11.6 11.6 0 0 0 -7.28 2.34 8.05 8.05 0 0 0 -3.37 5.8v74.35a7.72 7.72 0 0 0 3.29 5.87 11.65 11.65 0 0 0 7.36 2.42h2l.16 1.57h-35.56v-1.57z"/><path d="m1055.35 223.7h-2.35a7.22 7.22 0 0 0 -6.41 3.28 6.78 6.78 0 0 0 -1.1 3.29v52.73q0 16.29-10.41 25.75t-28.57 9.47q-18.15 0-28.64-9.39t-10.49-25.67v-52.73a6.18 6.18 0 0 0 -2.19-4.78 7.71 7.71 0 0 0 -5.32-2h-2.35v-1.57h29.74v1.57h-2.35a7.73 7.73 0 0 0 -5.32 2 6.18 6.18 0 0 0 -2.19 4.78v50.87q0 15.18 7.75 23.95t21.91 8.76q14.18 0 22.7-8.29t8.53-22.7v-52.59a6.71 6.71 0 0 0 -2.27-4.86 7.61 7.61 0 0 0 -5.24-1.87h-2.35v-1.57h26.92z"/><path d="m1194 314.48h2.35v1.57h-32.56v-1.41h2.35a5.69 5.69 0 0 0 4.14-1.8 4.92 4.92 0 0 0 1.49-4.3l-8.14-64.5-29.58 58.23q-4.38 9.56-5.48 16h-1.57l-37.72-72.79-7 63.09a4.92 4.92 0 0 0 1.48 4.22 5.78 5.78 0 0 0 4.31 1.88h2.19v1.41h-29v-1.57h2.35a10.42 10.42 0 0 0 8.77-4.07 9.51 9.51 0 0 0 1.87-4.85l12.21-85.62h1.57l41.32 79.52 39.92-79.52h1.41l12.67 85.93a9.63 9.63 0 0 0 3.61 6.27 11 11 0 0 0 7.04 2.31z"/><path d="m337.76 215.82a24.36 24.36 0 0 0 -24.36-24.36h-212.4a24.36 24.36 0 0 0 -24.36 24.36v100.37h16.8v-28a34.11 34.11 0 1 1 68.21 0v28h12.18v-28a34.11 34.11 0 1 1 68.21 0v28h12.18v-28a34.1 34.1 0 1 1 68.2 0v28h15.33zm-244.32 25.31a34.11 34.11 0 1 1 68.21 0zm80.39 0a34.11 34.11 0 1 1 68.21 0zm80.39 0a34.11 34.11 0 1 1 68.21 0z"/></g></svg>
Side by side

Before

Width:  |  Height:  |  Size: 4.1 KiB

BIN
docs/.vuepress/public/img/logo-only.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 1.2 KiB

BIN
docs/.vuepress/public/img/logo-round.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 22 KiB

1
docs/.vuepress/public/img/logo-round.svg
View file

File diff suppressed because one or more lines are too long
Side by side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
docs/.vuepress/public/img/logo-white.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 3.5 KiB

23
docs/.vuepress/public/img/logo_purple.svg
View file

@ -1,23 +0,0 @@
<svg width="169" height="30" viewBox="0 0 169 30" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0)">
<path d="M5.99392 28.579C5.39445 28.5024 4.5909 28.8341 4.23377 28.4132C3.88939 28.005 4.14448 27.227 4.13173 26.6147C4.13173 22.0485 4.13173 17.4824 4.14448 12.9034C4.14448 11.7555 3.95316 10.6586 3.26441 9.70198C2.60116 8.78364 1.70833 8.15866 0.509388 8.10764C0.0884826 8.09489 -0.0135551 7.94183 -0.000800398 7.54644C0.024709 6.84493 0.024709 6.14342 -0.000800398 5.44191C-0.0135551 5.08478 0.0757279 4.90621 0.458369 4.86795C2.48637 4.66387 4.51437 4.43429 6.52962 4.2047C9.42494 3.88583 12.3075 3.55421 15.2028 3.23534C18.0471 2.91648 20.8914 2.61036 23.7485 2.29149C26.5545 1.98538 29.3606 1.67927 32.1666 1.3604C35.266 1.01602 38.3654 0.658891 41.4648 0.314513C41.5413 0.301759 41.6178 0.352778 41.6944 0.378287C41.9495 0.607872 42.0005 0.913985 42.0132 1.24561C42.0132 1.94712 42.026 2.64863 42.0132 3.35014C41.9877 4.28123 41.8985 4.39602 41.0184 4.63836C40.2531 4.84244 39.5133 5.09753 38.8628 5.5567C37.0261 6.83217 36.044 8.57957 36.0313 10.8244C36.0058 16.5385 36.0313 22.2399 36.0185 27.954C36.0185 28.3876 36.1206 28.8596 35.7124 29.2039C34.4369 29.1912 33.1615 29.1657 31.886 29.1784C31.3631 29.1912 31.261 28.9871 31.261 28.5152C31.2738 22.6735 31.261 16.8319 31.2738 10.9902C31.2738 9.34485 30.7508 7.96734 29.5136 6.85768C29.2713 6.65361 29.0417 6.43678 28.7228 6.34749C27.7535 6.14342 26.7841 5.92659 25.7892 6.04138C23.3914 6.30923 21.3123 8.32447 21.0062 10.7096C20.9042 11.4621 20.8532 12.2274 20.8532 12.9927C20.8659 17.916 20.8659 22.8393 20.8532 27.7627C20.8532 28.1708 20.968 28.63 20.5215 28.9233C20.445 28.9233 20.3812 28.9233 20.3047 28.9233C19.4884 28.7958 18.6721 28.9616 17.8558 28.8341C16.7589 28.7958 16.7589 28.7958 16.7589 27.7116C16.7589 22.4695 16.7461 17.2273 16.7589 11.9978C16.7589 10.3397 16.2487 8.92395 14.935 7.85255C14.8202 7.76327 14.6799 7.69949 14.5523 7.63572C13.2258 7.32961 11.8866 7.06176 10.5984 7.75051C8.7872 8.69436 7.88162 10.2632 7.85611 12.2912C7.81784 17.1762 7.84335 22.0485 7.84335 26.9336C7.84335 27.2525 7.84335 27.5713 7.8306 27.8902C7.81784 28.1581 7.75407 28.3876 7.52448 28.5662C7.0143 28.681 6.50411 28.63 5.99392 28.579Z" fill="#6F43E7"/>
<path d="M83.5434 15.2774C83.6454 17.8539 83.3903 20.4303 83.7092 23.0323C82.5868 23.0323 81.3878 23.0323 80.2017 23.0323C80.5205 20.9916 80.342 18.9253 80.342 16.859C80.342 14.7928 80.5078 12.7137 80.2017 10.5709C81.5792 10.5709 83.0587 10.5709 84.5255 10.5709C84.6276 10.5709 84.7423 10.5709 84.7423 10.724C84.7423 11.4638 85.2015 12.0377 85.4949 12.6627C86.4005 14.6014 87.3188 16.5402 88.2371 18.4661C88.3264 18.6447 88.3519 18.8743 88.607 19.0146C88.9386 18.3386 89.2575 17.6881 89.5764 17.0248C90.4565 15.1882 91.4003 13.3897 92.1656 11.502C92.2804 11.2214 92.2549 10.7368 92.4334 10.6347C92.7396 10.4817 93.1732 10.5582 93.5559 10.5582C94.6655 10.5582 95.7624 10.5582 96.8721 10.5582C96.9103 10.5582 96.9486 10.5837 97.0124 10.5965C96.7828 11.0429 96.77 11.5403 96.77 12.025C96.77 15.2392 96.77 18.4406 96.77 21.6548C96.77 22.114 96.7828 22.5859 97.0124 23.0451C95.7879 23.0451 94.6017 23.0451 93.4156 23.0451C93.6069 22.165 93.7089 16.4891 93.5431 15.2902C93.3263 15.3157 93.3263 15.5198 93.2625 15.6601C92.2294 17.6498 91.209 19.6523 90.2779 21.6931C90.2014 21.8716 90.0611 22.216 90.0611 22.216C90 23 89.4233 23.0323 88.7983 23.0833C87.8035 23.1471 87.2168 23.0451 86.7959 21.8461C85.9796 19.563 84.7806 17.4202 83.7475 15.2264C83.6709 15.2647 83.6072 15.2647 83.5434 15.2774Z" fill="#6F43E7"/>
<path d="M160.748 19.1043C161.985 16.4768 163.375 14.0152 164.345 11.3749C164.612 10.6479 164.919 10.5586 165.544 10.5714C166.73 10.6097 167.916 10.5842 168.987 10.5842C168.911 14.7422 168.911 18.8747 169 23.0583C167.967 23.0583 166.794 23.0583 165.62 23.0583C165.926 20.4946 165.671 17.9054 165.786 15.3162C165.518 15.3162 165.518 15.482 165.467 15.584C164.485 17.561 163.503 19.5252 162.533 21.5022C162.431 21.7063 162.317 21.9231 162.253 22.1399C162.164 22.4333 162.176 22.9307 162.01 23.0073C161.666 23.1603 161.232 23.0838 160.824 23.0965C160.378 23.0965 159.88 23.2113 159.498 23.0583C159.115 22.9052 159.255 22.3313 159.077 21.9614C158.006 19.7293 156.96 17.4845 155.824 15.2651C155.799 17.8671 155.608 20.4436 155.863 23.071C154.753 23.071 153.554 23.071 152.483 23.071C152.572 18.9385 152.585 14.7932 152.47 10.5969C153.758 10.5969 155.212 10.5969 156.666 10.5969C156.845 10.5969 156.909 10.6352 156.921 10.8393C156.947 11.1326 157.036 11.426 157.164 11.6938C158.286 14.0917 159.434 16.4768 160.569 18.8747C160.595 18.9002 160.646 18.9513 160.748 19.1043Z" fill="#6F43E7"/>
<path d="M99.9841 10.5831C101.158 10.5831 102.484 10.5831 103.823 10.5831C106.259 10.5831 108.708 10.5958 111.145 10.5703C111.642 10.5703 111.833 10.6468 111.859 11.208C111.884 11.9861 112.076 12.7514 112.203 13.5932C110.991 13.236 109.818 13.0065 108.619 12.9299C107.012 12.8279 105.392 12.8917 103.785 12.8917C103.441 12.8917 103.288 13.0575 103.288 13.4019C103.3 13.9758 103.3 14.5498 103.288 15.1237C103.275 15.5447 103.466 15.6977 103.862 15.685C105.89 15.6212 107.93 15.889 109.971 15.3406C109.856 16.1441 109.741 16.9094 109.652 17.6874C109.614 18.0573 109.346 17.9808 109.129 17.9808C107.446 17.9808 105.775 18.0063 104.091 17.968C103.428 17.9553 103.224 18.1849 103.275 18.8099C103.313 19.32 103.288 19.8302 103.288 20.3404C103.288 20.6083 103.39 20.7868 103.696 20.7868C106.132 20.7358 108.581 20.9144 111.017 20.6848C111.578 20.6338 112.063 20.3659 112.624 20.0598C112.484 21.0674 112.382 22.0113 112.229 22.9296C112.178 23.223 111.872 23.0827 111.693 23.0827C108.951 23.0954 106.208 23.0827 103.479 23.0827C102.267 23.0827 101.068 23.0827 99.9969 23.0827C100.073 18.8991 100.073 14.7539 99.9841 10.5831Z" fill="#6F43E7"/>
<path d="M136.578 10.5957C137.789 10.5957 138.976 10.5957 140.162 10.5957C139.881 12.088 140.06 13.6058 140.021 15.1109C139.996 16.1312 140.009 17.1516 140.034 18.172C140.085 20.0087 140.889 20.8377 142.687 21.0035C143.261 21.0546 143.835 20.9908 144.396 20.8505C145.353 20.6209 145.991 19.8174 146.016 18.5929C146.067 16.1695 146.042 13.7589 146.029 11.3355C146.029 11.0931 145.927 10.8508 145.863 10.5957C147.049 10.5957 148.235 10.5957 149.473 10.5957C149.065 11.7054 149.269 12.8533 149.23 13.9757C149.179 15.6466 149.383 17.3302 149.128 19.0011C148.771 21.3224 147.368 22.6999 145.072 23.1463C143.529 23.4525 141.986 23.4269 140.468 23.0315C138.274 22.4576 136.897 20.6592 136.845 18.2995C136.807 16.2588 136.833 14.218 136.833 12.19C136.845 11.6416 136.807 11.1186 136.578 10.5957Z" fill="#6F43E7"/>
<path d="M35.7131 29.1938C35.7131 23.0843 35.7259 16.9747 35.7259 10.8525C35.7259 7.63829 37.8432 4.99807 40.9936 4.32207C41.5038 4.20727 41.6951 4.02871 41.6823 3.49301C41.6441 2.45988 41.6951 1.41399 41.7079 0.380859C42.3073 0.444633 42.843 0.712482 43.417 0.852784C43.6976 0.916557 43.7741 1.12063 43.7614 1.37573C43.7614 2.3706 43.7486 3.37822 43.7614 4.37309C43.7741 4.85776 43.4552 4.89603 43.1109 4.97256C40.764 5.55927 39.0931 6.92403 38.2386 9.21988C37.9707 9.9469 37.8687 10.6994 37.8687 11.4647C37.8814 17.115 37.8687 22.7654 37.8687 28.4157C37.8687 29.232 37.8687 29.232 37.0396 29.1938C36.606 29.2065 36.1595 29.2065 35.7131 29.1938Z" fill="#C5B7DD"/>
<path d="M20.5222 28.9121C20.6243 28.6188 20.5987 28.3254 20.5987 28.032C20.5987 22.6751 20.6115 17.3181 20.5987 11.9611C20.5987 9.84381 21.3385 8.10917 23.0094 6.79543C24.7058 5.46894 27.0526 5.29037 28.7363 6.33626C25.6624 6.22147 22.7415 8.65762 22.7288 12.5478C22.716 17.7262 22.7288 22.8919 22.7288 28.0703C22.7288 28.9504 22.7288 28.9504 21.8615 28.9376C21.415 28.9249 20.9686 28.9249 20.5222 28.9121Z" fill="#C5B7DD"/>
<path d="M7.52529 28.5557C7.51254 26.1961 7.49978 23.8492 7.49978 21.4896C7.49978 18.4157 7.47428 15.329 7.51254 12.2552C7.53805 9.80625 9.18341 7.62519 11.4155 7.10225C12.5251 6.8344 13.6093 6.92368 14.5787 7.62519C11.7088 7.71448 10.038 10.0486 9.7191 12.3317C9.62982 13.0077 9.60431 13.6837 9.60431 14.3597C9.61707 18.8493 9.60431 23.3518 9.60431 27.8414C9.60431 28.6705 9.60431 28.6705 8.80077 28.645C8.37986 28.645 7.95895 28.5939 7.52529 28.5557Z" fill="#C5B7DD"/>
<path d="M133.797 23.0707C132.534 23.0707 131.361 23.0707 130.328 23.0707C130.379 18.9127 130.379 14.7802 130.328 10.6094C131.361 10.6094 132.56 10.6094 133.81 10.6094C133.529 11.1451 133.542 11.719 133.542 12.2802C133.542 15.3414 133.542 18.4025 133.542 21.4636C133.529 21.9993 133.542 22.5223 133.797 23.0707Z" fill="#6F43E7"/>
<path d="M17.8567 28.8361C18.673 28.7979 19.4893 28.7851 20.3056 28.9254C19.4893 28.9764 18.6602 29.0019 17.8567 28.8361Z" fill="#C5B7DD"/>
<path d="M5.99463 28.5802C6.50482 28.5674 7.01501 28.5674 7.52519 28.5547C7.02776 28.8225 6.50482 28.6695 5.99463 28.5802Z" fill="#C5B7DD"/>
<path d="M128.21 23.0453C126.68 21.4255 125.851 19.2061 123.67 18.1603C123.861 18.071 123.976 18.02 124.091 17.9689C125.647 17.3057 126.463 15.9537 126.323 14.2701C126.157 12.2803 125.366 11.1962 123.529 10.8263C120.596 10.2396 117.611 10.7243 114.805 10.5457C114.984 14.7548 114.933 18.8873 114.831 23.0453C115.902 23.0453 117.101 23.0453 118.3 23.0453C117.93 21.7443 118.16 20.4434 118.109 19.1551C118.096 18.7852 118.376 18.7342 118.683 18.7215C120.915 18.5812 122.496 19.576 123.504 21.7443C123.708 22.1652 123.848 22.5862 123.631 23.0453C125.187 23.0453 126.705 23.0453 128.21 23.0453ZM122.012 16.4256C120.825 16.7572 119.614 16.5787 118.402 16.5659C118.109 16.5659 118.096 16.3236 118.096 16.1068C118.096 15.2139 118.096 14.3211 118.096 13.441C118.096 13.1222 118.223 12.9691 118.542 12.9691C119.052 12.9691 119.563 12.9691 120.073 12.9691C120.073 12.9818 120.073 12.9946 120.073 12.9946C120.609 12.9946 121.132 12.9563 121.654 13.0074C122.56 13.0839 123.045 13.5941 123.147 14.4614C123.249 15.3925 122.828 16.196 122.012 16.4256Z" fill="#6F43E7"/>
<path d="M77.4594 14.7167C76.9237 12.3698 75.4313 11.0178 73.0972 10.5842C71.4136 10.2653 69.7172 10.2653 68.0336 10.6224C65.827 11.0944 64.3602 12.4081 63.8118 14.6274C63.4547 16.0687 63.4547 17.5355 63.8118 18.9768C64.3602 21.1961 65.7122 22.6119 67.9953 23.0838C68.8754 23.2624 69.7555 23.3517 70.7249 23.3261C71.3626 23.3644 72.0514 23.2879 72.7529 23.1986C75.087 22.918 76.7834 21.5022 77.3828 19.2446C77.791 17.7523 77.8165 16.2345 77.4594 14.7167ZM74.2452 18.8875C73.9773 19.8058 73.4033 20.4563 72.485 20.7369C71.2095 21.1323 69.9341 21.1323 68.6841 20.6604C67.9061 20.367 67.3576 19.8186 67.1025 19.0278C66.6433 17.6248 66.6178 16.1963 67.0515 14.7805C67.3321 13.8366 67.9571 13.2117 68.8882 12.9183C69.9468 12.5867 71.031 12.5739 72.0896 12.8163C73.5947 13.1606 74.3344 14.1683 74.4875 15.9284C74.513 16.2218 74.4875 16.5279 74.4875 16.8212C74.5258 17.5227 74.4365 18.2115 74.2452 18.8875Z" fill="#6F43E7"/>
<path d="M61.6052 14.0013C61.4012 12.4325 60.4446 11.2845 58.9268 10.8636C58.2508 10.6723 57.562 10.583 56.8478 10.583C54.7432 10.583 52.6387 10.583 50.5342 10.583C50.3556 10.583 50.1643 10.5193 50.0623 10.583C50.4194 12.7003 50.2153 14.7793 50.2281 16.8456C50.2281 18.9119 50.4066 20.9909 50.0878 23.0571C51.2612 23.0571 52.4474 23.0571 53.6846 23.0571C53.2764 21.9092 53.5188 20.7996 53.4422 19.7027C53.404 19.2307 53.5443 19.0904 54.029 19.0904C55.432 19.0904 56.835 19.1797 58.2253 18.9884C59.9726 18.7461 61.2609 17.5981 61.567 15.889C61.6818 15.264 61.6945 14.639 61.6052 14.0013ZM57.4217 16.5522C56.2483 16.9349 55.0366 16.8328 53.8249 16.8073C53.4933 16.7946 53.4422 16.5267 53.4422 16.2461C53.4422 15.7742 53.4422 15.315 53.4422 14.8431C53.4422 14.3712 53.4422 13.912 53.4422 13.4401C53.4422 13.185 53.506 12.9682 53.8249 12.9682C54.9856 12.9427 56.159 12.8406 57.3069 13.134C58.085 13.3381 58.4421 13.8482 58.4931 14.7283C58.5441 15.6467 58.1742 16.3099 57.4217 16.5522Z" fill="#6F43E7"/>
</g>
<defs>
<clipPath id="clip0">
<rect width="169" height="28.9149" fill="white" transform="translate(0 0.316406)"/>
</clipPath>
</defs>
</svg>
Side by side

Before

Width:  |  Height:  |  Size: 12 KiB

23
docs/.vuepress/public/img/logo_white.svg
View file

@ -1,23 +0,0 @@
<svg width="161" height="28" viewBox="0 0 161 28" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0)">
<path d="M5.71009 27.3796C5.13899 27.3067 4.37349 27.6226 4.03326 27.2216C3.70518 26.8328 3.9482 26.0916 3.93605 25.5083C3.93605 21.1583 3.93605 16.8083 3.9482 12.4461C3.9482 11.3525 3.76594 10.3075 3.10979 9.39618C2.47794 8.52132 1.62737 7.92592 0.485183 7.87732C0.0842016 7.86516 -0.0130059 7.71935 -0.000854965 7.34267C0.0234469 6.67437 0.0234469 6.00607 -0.000854965 5.33777C-0.0130059 4.99754 0.0720507 4.82743 0.436579 4.79098C2.36858 4.59656 4.30058 4.37784 6.22043 4.15913C8.97869 3.85535 11.7248 3.53943 14.4831 3.23566C17.1927 2.93188 19.9024 2.64026 22.6242 2.33649C25.2974 2.04486 27.9706 1.75324 30.6438 1.44947C33.5965 1.12139 36.5492 0.781165 39.5019 0.45309C39.5748 0.440939 39.6477 0.489543 39.7206 0.513845C39.9636 0.732562 40.0122 1.02418 40.0244 1.34011C40.0244 2.00841 40.0365 2.67671 40.0244 3.34501C40.0001 4.23203 39.915 4.34139 39.0766 4.57226C38.3475 4.76667 37.6428 5.00969 37.0231 5.44713C35.2733 6.66222 34.3377 8.3269 34.3256 10.4655C34.3013 15.9091 34.3256 21.3406 34.3134 26.7842C34.3134 27.1973 34.4106 27.6469 34.0218 27.975C32.8067 27.9628 31.5916 27.9385 30.3765 27.9507C29.8783 27.9628 29.7811 27.7684 29.7811 27.3188C29.7933 21.7537 29.7811 16.1886 29.7933 10.6234C29.7933 9.05596 29.2951 7.74366 28.1164 6.68652C27.8856 6.49211 27.6668 6.28554 27.3631 6.20049C26.4396 6.00607 25.5161 5.7995 24.5684 5.90886C22.284 6.16403 20.3034 8.08388 20.0117 10.3561C19.9145 11.073 19.8659 11.8021 19.8659 12.5311C19.8781 17.2214 19.8781 21.9117 19.8659 26.6019C19.8659 26.9907 19.9753 27.4282 19.55 27.7077C19.4771 27.7077 19.4164 27.7077 19.3434 27.7077C18.5658 27.5861 17.7881 27.7441 17.0105 27.6226C15.9655 27.5861 15.9655 27.5861 15.9655 26.5533C15.9655 21.5593 15.9533 16.5652 15.9655 11.5834C15.9655 10.0037 15.4794 8.65498 14.2279 7.6343C14.1185 7.54924 13.9849 7.48849 13.8634 7.42773C12.5997 7.13611 11.3238 6.88094 10.0966 7.53709C8.37115 8.43626 7.50843 9.93083 7.48413 11.8628C7.44767 16.5166 7.47198 21.1583 7.47198 25.8121C7.47198 26.1159 7.47198 26.4197 7.45983 26.7234C7.44767 26.9786 7.38692 27.1973 7.1682 27.3674C6.68216 27.4768 6.19613 27.4282 5.71009 27.3796Z" fill="white"/>
<path d="M79.5888 14.7074C79.686 17.1619 79.443 19.6164 79.7468 22.0952C78.6775 22.0952 77.5353 22.0952 76.4053 22.0952C76.709 20.1511 76.5389 18.1826 76.5389 16.2142C76.5389 14.2457 76.6969 12.2651 76.4053 10.2237C77.7176 10.2237 79.1271 10.2237 80.5244 10.2237C80.6217 10.2237 80.731 10.2237 80.731 10.3695C80.731 11.0743 81.1684 11.6211 81.4479 12.2165C82.3106 14.0634 83.1855 15.9104 84.0604 17.7452C84.1454 17.9153 84.1697 18.134 84.4128 18.2677C84.7287 17.6237 85.0324 17.004 85.3362 16.3721C86.1746 14.6224 87.0738 12.9091 87.8029 11.1108C87.9122 10.8434 87.8879 10.3817 88.058 10.2845C88.3497 10.1387 88.7628 10.2116 89.1273 10.2116C90.1844 10.2116 91.2294 10.2116 92.2866 10.2116C92.323 10.2116 92.3595 10.2359 92.4202 10.248C92.2015 10.6733 92.1894 11.1472 92.1894 11.6089C92.1894 14.671 92.1894 17.7209 92.1894 20.7829C92.1894 21.2203 92.2015 21.6699 92.4202 22.1074C91.2537 22.1074 90.1237 22.1074 88.9937 22.1074C89.1759 21.2689 89.2731 15.8618 89.1152 14.7196C88.9086 14.7439 88.9086 14.9383 88.8478 15.072C87.8636 16.9675 86.8915 18.8752 86.0045 20.8194C85.9316 20.9895 85.798 21.1596 85.798 21.3175C85.8223 22.241 85.1904 22.0952 84.595 22.1438C83.6472 22.2046 83.0883 22.1074 82.6873 20.9652C81.9097 18.7902 80.7675 16.7488 79.7832 14.6588C79.7103 14.6953 79.6496 14.6953 79.5888 14.7074Z" fill="white"/>
<path d="M153.138 18.3527C154.317 15.8496 155.641 13.5044 156.565 10.9892C156.82 10.2966 157.112 10.2115 157.707 10.2237C158.837 10.2601 159.967 10.2358 160.988 10.2358C160.915 14.1971 160.915 18.134 161 22.1195C160.016 22.1195 158.898 22.1195 157.78 22.1195C158.072 19.6771 157.829 17.2105 157.938 14.7438C157.683 14.7438 157.683 14.9018 157.634 14.999C156.699 16.8824 155.763 18.7537 154.84 20.6371C154.742 20.8315 154.633 21.038 154.572 21.2446C154.487 21.5241 154.499 21.998 154.341 22.0709C154.013 22.2167 153.6 22.1438 153.211 22.1559C152.786 22.1559 152.312 22.2653 151.948 22.1195C151.583 21.9737 151.717 21.4269 151.547 21.0745C150.526 18.9481 149.53 16.8095 148.448 14.6952C148.424 17.174 148.242 19.6285 148.485 22.1316C147.427 22.1316 146.285 22.1316 145.265 22.1316C145.35 18.1947 145.362 14.2457 145.252 10.248C146.48 10.248 147.865 10.248 149.25 10.248C149.42 10.248 149.481 10.2844 149.493 10.4789C149.517 10.7583 149.602 11.0378 149.724 11.293C150.793 13.5774 151.887 15.8496 152.968 18.134C152.993 18.1583 153.041 18.2069 153.138 18.3527Z" fill="white"/>
<path d="M95.2515 10.2358C96.3694 10.2358 97.633 10.2358 98.9089 10.2358C101.23 10.2358 103.563 10.2479 105.884 10.2236C106.357 10.2236 106.54 10.2965 106.564 10.8312C106.588 11.5724 106.771 12.3014 106.892 13.1034C105.738 12.7632 104.62 12.5445 103.478 12.4716C101.947 12.3743 100.403 12.4351 98.8724 12.4351C98.5444 12.4351 98.3986 12.5931 98.3986 12.9211C98.4107 13.4679 98.4107 14.0147 98.3986 14.5615C98.3864 14.9625 98.5687 15.1083 98.9453 15.0962C100.877 15.0354 102.822 15.2906 104.766 14.7681C104.656 15.5336 104.547 16.2627 104.462 17.0039C104.425 17.3562 104.17 17.2833 103.964 17.2833C102.36 17.2833 100.768 17.3076 99.1641 17.2712C98.5322 17.259 98.3378 17.4777 98.3864 18.0731C98.4229 18.5592 98.3986 19.0452 98.3986 19.5313C98.3986 19.7864 98.4958 19.9565 98.7874 19.9565C101.108 19.9079 103.441 20.078 105.762 19.8593C106.297 19.8107 106.758 19.5556 107.293 19.2639C107.159 20.2239 107.062 21.123 106.916 21.9979C106.868 22.2774 106.576 22.1437 106.406 22.1437C103.794 22.1559 101.181 22.1437 98.5808 22.1437C97.4265 22.1437 96.2843 22.1437 95.2636 22.1437C95.3365 18.1582 95.3365 14.2091 95.2515 10.2358Z" fill="white"/>
<path d="M130.112 10.248C131.267 10.248 132.397 10.248 133.527 10.248C133.259 11.6697 133.43 13.1157 133.393 14.5495C133.369 15.5216 133.381 16.4936 133.405 17.4657C133.454 19.2154 134.219 20.0053 135.933 20.1632C136.479 20.2118 137.026 20.1511 137.561 20.0174C138.472 19.7987 139.08 19.0332 139.104 17.8667C139.153 15.558 139.128 13.2615 139.116 10.9528C139.116 10.7219 139.019 10.4911 138.958 10.248C140.088 10.248 141.218 10.248 142.397 10.248C142.008 11.3052 142.202 12.3988 142.166 13.468C142.117 15.0598 142.312 16.6637 142.069 18.2555C141.729 20.467 140.392 21.7793 138.205 22.2046C136.735 22.4962 135.264 22.4719 133.818 22.0952C131.728 21.5484 130.416 19.8351 130.367 17.5872C130.331 15.6431 130.355 13.6989 130.355 11.7669C130.367 11.2444 130.331 10.7462 130.112 10.248Z" fill="white"/>
<path d="M34.0225 27.9636C34.0225 22.1433 34.0346 16.323 34.0346 10.4906C34.0346 7.42853 36.0517 4.91329 39.053 4.26929C39.539 4.15993 39.7213 3.98982 39.7091 3.47948C39.6726 2.49525 39.7213 1.49887 39.7334 0.514648C40.3045 0.575403 40.8148 0.830573 41.3616 0.964233C41.629 1.02499 41.7019 1.2194 41.6897 1.46242C41.6897 2.4102 41.6776 3.37012 41.6897 4.31789C41.7019 4.77963 41.3981 4.81608 41.07 4.88899C38.8342 5.44793 37.2425 6.74808 36.4283 8.93525C36.1732 9.62786 36.076 10.3448 36.076 11.0738C36.0881 16.4567 36.076 21.8396 36.076 27.2224C36.076 28.0001 36.076 28.0001 35.2862 27.9636C34.873 27.9758 34.4477 27.9758 34.0225 27.9636Z" fill="#C5B7DD"/>
<path d="M19.5508 27.6962C19.648 27.4167 19.6237 27.1373 19.6237 26.8578C19.6237 21.7544 19.6358 16.651 19.6237 11.5476C19.6237 9.53053 20.3284 7.878 21.9202 6.62646C23.5363 5.36276 25.7721 5.19264 27.376 6.18902C24.4476 6.07966 21.665 8.40049 21.6529 12.1065C21.6407 17.0398 21.6529 21.961 21.6529 26.8942C21.6529 27.7326 21.6529 27.7326 20.8266 27.7205C20.4013 27.7083 19.9761 27.7083 19.5508 27.6962Z" fill="#C5B7DD"/>
<path d="M7.16896 27.3558C7.1568 25.1079 7.14465 22.8721 7.14465 20.6242C7.14465 17.6958 7.12035 14.7553 7.15681 11.8269C7.18111 9.49392 8.74858 7.41611 10.875 6.91792C11.9321 6.66275 12.965 6.74781 13.8884 7.41611C11.1545 7.50116 9.56269 9.72479 9.25892 11.8998C9.17386 12.5438 9.14956 13.1878 9.14956 13.8318C9.16171 18.1089 9.14956 22.3982 9.14956 26.6754C9.14956 27.4652 9.14956 27.4652 8.38405 27.4409C7.98307 27.4409 7.58209 27.3923 7.16896 27.3558Z" fill="#C5B7DD"/>
<path d="M127.463 22.1312C126.26 22.1312 125.142 22.1312 124.158 22.1312C124.207 18.17 124.207 14.2331 124.158 10.2598C125.142 10.2598 126.285 10.2598 127.475 10.2598C127.208 10.7701 127.22 11.3169 127.22 11.8515C127.22 14.7678 127.22 17.684 127.22 20.6002C127.208 21.1106 127.22 21.6087 127.463 22.1312Z" fill="white"/>
<path d="M17.0112 27.624C17.7889 27.5875 18.5665 27.5754 19.3442 27.709C18.5665 27.7576 17.7767 27.7819 17.0112 27.624Z" fill="#C5B7DD"/>
<path d="M5.71094 27.3807C6.19697 27.3686 6.68301 27.3686 7.16905 27.3564C6.69516 27.6116 6.19697 27.4658 5.71094 27.3807Z" fill="#C5B7DD"/>
<path d="M122.141 22.107C120.683 20.5638 119.893 18.4495 117.816 17.4531C117.998 17.3681 118.107 17.3195 118.216 17.2709C119.699 16.639 120.477 15.351 120.343 13.7471C120.185 11.8516 119.432 10.8187 117.682 10.4664C114.887 9.90741 112.044 10.3691 109.371 10.199C109.541 14.2088 109.492 18.1457 109.395 22.107C110.416 22.107 111.558 22.107 112.7 22.107C112.348 20.8676 112.566 19.6282 112.518 18.4009C112.506 18.0485 112.773 17.9999 113.064 17.9878C115.191 17.8541 116.698 18.8019 117.658 20.8676C117.852 21.2685 117.986 21.6695 117.779 22.107C119.261 22.107 120.707 22.107 122.141 22.107ZM116.236 15.8006C115.106 16.1165 113.952 15.9464 112.797 15.9343C112.518 15.9343 112.506 15.7034 112.506 15.4968C112.506 14.6463 112.506 13.7957 112.506 12.9573C112.506 12.6535 112.627 12.5077 112.931 12.5077C113.417 12.5077 113.903 12.5077 114.389 12.5077C114.389 12.5199 114.389 12.532 114.389 12.532C114.899 12.532 115.397 12.4956 115.896 12.5442C116.758 12.6171 117.22 13.1031 117.317 13.9294C117.415 14.8164 117.014 15.5819 116.236 15.8006Z" fill="white"/>
<path d="M73.7928 14.1721C73.2825 11.9363 71.8608 10.6483 69.6372 10.2352C68.0333 9.93141 66.4172 9.93141 64.8133 10.2716C62.7112 10.7212 61.3138 11.9728 60.7913 14.087C60.4511 15.4601 60.4511 16.8574 60.7913 18.2305C61.3138 20.3448 62.6018 21.6935 64.7768 22.1431C65.6152 22.3132 66.4536 22.3983 67.3771 22.374C67.9847 22.4104 68.6408 22.3375 69.3091 22.2525C71.5327 21.9851 73.1488 20.6364 73.7199 18.4857C74.1087 17.064 74.133 15.6181 73.7928 14.1721ZM70.7308 18.1454C70.4756 19.0203 69.9288 19.64 69.0539 19.9073C67.8389 20.284 66.6238 20.284 65.433 19.8344C64.6918 19.555 64.1693 19.0325 63.9262 18.2791C63.4888 16.9425 63.4645 15.5816 63.8776 14.2328C64.145 13.3337 64.7404 12.7383 65.6274 12.4588C66.6359 12.1429 67.6687 12.1307 68.6773 12.3616C70.1111 12.6897 70.8158 13.6496 70.9616 15.3264C70.9859 15.6059 70.9616 15.8975 70.9616 16.177C70.9981 16.8453 70.913 17.5014 70.7308 18.1454Z" fill="white"/>
<path d="M58.689 13.4924C58.4945 11.9979 57.5832 10.9043 56.1373 10.5033C55.4933 10.321 54.8371 10.236 54.1567 10.236C52.1518 10.236 50.1469 10.236 48.142 10.236C47.9719 10.236 47.7896 10.1752 47.6924 10.236C48.0326 12.253 47.8382 14.2336 47.8503 16.2021C47.8503 18.1706 48.0205 20.1512 47.7167 22.1196C48.8346 22.1196 49.9646 22.1196 51.1432 22.1196C50.7544 21.026 50.9853 19.9689 50.9124 18.9239C50.8759 18.4743 51.0096 18.3407 51.4713 18.3407C52.8079 18.3407 54.1445 18.4257 55.469 18.2435C57.1336 18.0126 58.3609 16.919 58.6525 15.2908C58.7619 14.6954 58.774 14.1 58.689 13.4924ZM54.7035 15.9226C53.5856 16.2872 52.4312 16.1899 51.2769 16.1656C50.961 16.1535 50.9124 15.8983 50.9124 15.631C50.9124 15.1814 50.9124 14.744 50.9124 14.2944C50.9124 13.8448 50.9124 13.4074 50.9124 12.9578C50.9124 12.7148 50.9731 12.5082 51.2769 12.5082C52.3826 12.4839 53.5005 12.3867 54.5941 12.6662C55.3353 12.8606 55.6755 13.3466 55.7241 14.185C55.7727 15.0599 55.4204 15.6918 54.7035 15.9226Z" fill="white"/>
</g>
<defs>
<clipPath id="clip0">
<rect width="161" height="27.5462" fill="white" transform="translate(0 0.454102)"/>
</clipPath>
</defs>
</svg>
Side by side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
docs/.vuepress/public/img/pomerium-icon-1.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 24 KiB

3
docs/.vuepress/styles/index.styl
View file

@ -1,3 +0,0 @@
hr {
border-top: 1px solid #000000;
}

127
docs/.vuepress/styles/palette.styl
View file

@ -1,127 +0,0 @@
// colors
$mainColor= #6F43E7
$offColor = #49AAA1
$sidebarColor=#FAFAFC
$accentColor = #6F43E7
$textColor =rgb(51, 51, 51)
$headerColor=rgb(17, 17, 17)
$borderColor = #e8e8fb
$codeBgColor = #282c34
$arrowBgColor = #ccc
$section-color=#f7f7f7;
$fontSize = 16px
// navbar
// $navbarHeight = 5.2rem
$navbar-vertical-padding = 1.4rem;
$navbar-horizontal-padding = 1.4rem;
$navbar-background = #6F43E7;
$navbar-text-color = #ffffff;
$sidebarWidth = 16rem
$contentWidth = 960px
// // responsive breakpoints
$MQNarrow = 959px
$MQMobile = 719px
$MQMobileNarrow = 419px
.icon.outbound
display none !important
.navbar
background-color: $navbar-background !important
border-bottom 1px solid $navbar-background !important
.logo
height $navbarHeight - 3.2rem
min-width $navbarHeight - 3.2rem
margin-right 0.8rem
vertical-align top
.links
background-color: $navbar-background !important
color: $navbar-text-color !important
padding-left 0rem
.site-name
display: none !important
.nav-links
a
&:hover, &.router-link-active
color lighten($textColor, 8%) !important
a.entRef-anchor
visibility: hidden
display: block
position: relative
top: -4.25rem
.dropdown-wrapper
.dropdown-title
color $textColor !important
.nav-dropdown
.dropdown-item
color $textColor !important
.newsletter
background-color $section-color
border-top 1px solid darken($section-color, 10%)
border-bottom 1px solid darken($section-color, 10%)
&__wrap
margin 1.5rem auto
padding 1.8rem 2.3rem
border-radius 3px
box-sizing border-box
max-width $contentWidth !important
background #f8f8f8
&__title
font-size 1.2rem
&__content
margin-top 1.5rem
margin-bottom 1.5rem
line-height 1.7rem
@media (min-width: $MQMobile)
.nav-links a
&:hover, &.router-link-active
color lighten($navbar-text-color, 8%) !important
.nav-item > a:not(.external)
&:hover, &.router-link-active
margin-bottom -2px
border-bottom 2px solid lighten($navbar-text-color, 8%) !important
.dropdown-wrapper
.dropdown-title
color $navbar-text-color !important
.nav-dropdown
.dropdown-item
color $textColor !important
.newsletter
&__input
width 30% !important
&__button
width 15% !important
@media (max-width: $MQMobile)
.navbar
.site-name
display: none !important
.features
padding: 36pt 0
.feature
.media
max-width: 80%
.content
max-width: 80%
.triples
.feature
padding: 36pt 0
.home
.hero
padding-bottom 0pt
.section
.content
padding: 0 50px;

459
docs/.vuepress/theme/components/Home.vue
View file

@ -1,459 +0,0 @@
<template>
<main class="home" aria-labelledby="main-title">
<header class="hero">
<div class="section">
<div class="content">
<h1 v-if="data.heroText !== null" id="main-title">
{{ data.heroText || $title || "Hello" }}
</h1>
<p class="description">
{{
data.tagline || $description || "Welcome to your VuePress site"
}}
</p>
<p class="action" v-if="data.actionText && data.actionLink">
<NavLink class="action-button" :item="actionLink" />
</p>
</div>
<video
v-if="data.heroImage"
class="media"
autoplay
loop
muted
playsinline
>
<source
v-if="data.heroImage"
:src="$withBase(data.heroImage)"
:alt="data.heroAlt"
type="video/mp4"
/>
Your browser does not support the video tag.
</video>
<form
v-if="data.contactForm === true"
method="POST"
name="contact"
data-netlify="true"
netlify-honeypot="bot-field"
>
<input type="hidden" name="form-name" value="contact" />
<fieldset>
<label>
<span>Name</span>
<input name="name" class="field" required />
</label>
<label>
<span>Email</span>
<input name="email" type="email" class="field" required />
</label>
<label>
<span>Company</span>
<input name="company" class="field" />
</label>
</fieldset>
<button class="nav-link action-button" type="submit">
Get in touch
</button>
</form>
</div>
</header>
<SimpleNewsletter />
<div class v-if="data.features && data.features.length">
<div
class="features section"
v-for="(feature, index) in data.features"
:key="index"
>
<div class="feature">
<img class="media" :src="$withBase(feature.src)" />
<div class="content">
<h2>{{ feature.title }}</h2>
<p>{{ feature.text }}</p>
</div>
</div>
</div>
</div>
<!-- triples -->
<div class v-if="data.triples && data.triples.length">
<div class="triples">
<div class="feature">
<div
class="content"
v-for="(feature, index) in data.triples"
:key="index"
>
<img class="media" :src="$withBase(feature.src)" />
<h2>{{ feature.title }}</h2>
<p>{{ feature.text }}</p>
</div>
</div>
</div>
</div>
<Content class="theme-default-content custom" />
<div class v-if="data.footer">
<div class="footer">
<a href="https://www.netlify.com/">
<img
src="https://api.netlify.com/api/v1/badges/1853c996-a1f7-4545-b60c-612e8fca557c/deploy-status"
alt="Deploy status badge"
/>
</a>
</div>
</div>
</main>
</template>
<script>
import NavLink from "@parent-theme/components/NavLink.vue";
export default {
components: { NavLink },
computed: {
data() {
return this.$page.frontmatter;
},
actionLink() {
return {
link: this.data.actionLink,
text: this.data.actionText,
};
},
},
};
</script>
<style lang="stylus">
.home {
padding: $navbarHeight 0 0;
.hero {
background-color: $accentColor;
padding-top: 96pt - $navbarHeight;
padding-bottom: 96pt;
.section {
padding: 0pt 0;
margin: 0 auto;
max-width: $contentWidth;
justify-content: space-between;
display: flex;
flex-wrap: wrap;
align-items: center;
flex-direction: row;
// flex-flow: column wrap;
.media {
padding: 0 20px;
flex: 1;
max-width: 45%;
align-items: center;
}
form {
background-color: $accentColor;
padding: 0 20px;
flex: 1;
max-width: 40%;
button {
display: block;
background: $offColor
color: $section-color;
box-shadow: 0 1px 3px darken($accentColor, 5%), 0 1px 1px rgba(0, 0, 0, 0.98);
border-radius: 6px;
border: 0;
width: 100%;
height: 40px;
outline: none;
cursor: pointer;
transition: all 0.15s ease;
font-size: 1.2rem;
font-weight: 450;
&:hover {
transform: translateY(-1px);
}
}
fieldset {
margin-bottom: 20px;
background: #fff;
box-shadow: 0 1px 2px 0 lighten($section-color, 35%), 0 2px 2px 0 lighten($section-color, 35%);
border-radius: 4px;
border: none;
label {
position: relative;
display: flex;
flex-direction: row;
height: 42px;
padding: 8px 0;
align-items: center;
justify-content: center;
&:not(:last-child) {
border-bottom: 1px solid #f0f5fa;
}
span {
color: lighten($textColor, 25%);
font-weight: 450;
min-width: 60px;
padding: 0 15px;
text-align: right;
font-size: 0.9rem;
}
}
.field {
flex: 1;
padding: 0 15px;
background: transparent;
color: $textColor;
outline: none;
cursor: text;
font-size: 0.95rem;
}
input {
flex: 1;
border-style: none;
outline: none;
color: #313b3f;
}
}
}
.content {
flex: 1;
padding: 0 20px;
h1 {
text-align: left;
margin-left: auto;
margin-right: auto;
font-size: 3.2rem;
font-weight: 600;
border-bottom: none;
padding-bottom: 0;
color: #ffffff;
}
.description {
text-align: left;
margin-left: auto;
margin-right: auto;
font-weight: 300;
color: #ffffff;
font-size: 1.5rem;
line-height: 1.3;
}
.action-button {
display: inline-block;
font-size: 1.2rem;
color: #fff;
background-color: $accentColor;
padding: 0.8rem 1.6rem;
border-radius: 4px;
transition: background-color 0.1s ease;
box-sizing: border-box;
border-bottom: 1px solid darken($accentColor, 10%);
&:hover {
background-color: lighten($accentColor, 10%);
}
}
}
}
}
}
.triples {
display: flex;
flex-wrap: wrap;
margin: 0 auto;
padding: 32pt 0;
background-color: $section-color;
.feature {
padding: 92pt 0;
margin: 0 auto;
max-width: $contentWidth;
display: flex;
justify-content: space-between;
// flex-wrap: wrap;
.content {
display: flex;
flex-direction: column;
align-items: center;
max-width: 100%;
padding-left: 15px;
.media {
max-height: 150px;
}
h2 {
padding: 10pt 0;
display: flex;
font-weight: 500;
border-bottom: none;
padding-bottom: 0;
color: $headerColor;
}
p {
text-align: left;
margin-left: auto;
margin-right: auto;
font-weight: 400;
color: $textColor;
}
}
}
}
.features {
background-color: #ffffff;
padding: 72pt 0;
display: flex;
flex-wrap: wrap;
margin: 0 auto;
&:nth-child(even) {
background-color: $section-color;
border-top: 1px solid darken($section-color, 10%);
border-bottom: 1px solid darken($section-color, 10%);
.feature {
.media {
order: 1;
}
.content {
order: 2;
}
}
}
.feature {
padding: 0pt 0;
margin: 0 auto;
max-width: $contentWidth;
display: flex;
justify-content: space-between;
align-items: center;
flex-direction: row;
flex-wrap: wrap;
.media {
padding: 0 20px;
max-height: 400px;
max-width: 45%;
flex: 1;
order: 2;
}
.content {
padding: 0 10px;
max-width: 55%;
order: 1;
flex: 1;
h2 {
font-size: 2.4rem;
font-weight: 600;
border-bottom: none;
padding-bottom: 0;
color: $headerColor;
}
p {
font-size: 1.2rem;
text-align: left;
margin-left: auto;
margin-right: auto;
font-weight: 400;
color: $textColor;
}
}
}
}
.footer {
padding: 0.75rem;
border-top: 1px solid $borderColor;
text-align: center;
}
@media (max-width: $MQMobile) {
.home {
.feature {
flex-direction: column;
}
.hero {
padding-top: 20pt;
.section {
flex-direction: column;
.media {
max-width: 90%;
}
}
}
}
}
@media (max-width: $MQMobileNarrow) {
.home {
// padding-left: 0.5rem;
// padding-right: 0.5rem;
.hero {
padding-top: 20pt;
.section {
flex-direction: column;
.media {
max-width: 90%;
}
}
h1 {
font-size: 2rem;
}
h1, .description, .action {
margin: 1.2rem auto;
}
.description {
font-size: 1.2rem;
}
.action-button {
font-size: 1rem;
padding: 0.6rem 1.2rem;
}
}
.feature {
h2 {
font-size: 1.25rem;
}
}
}
}
</style>

166
docs/.vuepress/theme/components/PageEdit.vue
View file

@ -1,166 +0,0 @@
<template>
<footer class="page-edit">
<div
v-if="editLink"
class="edit-link"
>
<a
:href="editLink"
target="_blank"
rel="noopener noreferrer"
>{{ editLinkText }}</a>
<OutboundLink />
</div>
<div
v-if="lastUpdated"
class="last-updated"
>
<span class="prefix">{{ lastUpdatedText }}:</span>
<span class="time">{{ lastUpdated }}</span>
</div>
<br/>
<br/>
<hr/>
<div class="license">
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. Pomerium is a registered trademark.
</div>
</footer>
</template>
<script>
import isNil from 'lodash/isNil'
import { endingSlashRE, outboundRE } from '../util'
export default {
name: 'PageEdit',
computed: {
lastUpdated () {
return this.$page.lastUpdated
},
lastUpdatedText () {
if (typeof this.$themeLocaleConfig.lastUpdated === 'string') {
return this.$themeLocaleConfig.lastUpdated
}
if (typeof this.$site.themeConfig.lastUpdated === 'string') {
return this.$site.themeConfig.lastUpdated
}
return 'Last Updated'
},
editLink () {
const showEditLink = isNil(this.$page.frontmatter.editLink)
? this.$site.themeConfig.editLinks
: this.$page.frontmatter.editLink
const {
repo,
docsDir = '',
docsBranch = 'main',
docsRepo = repo
} = this.$site.themeConfig
if (showEditLink && docsRepo && this.$page.relativePath) {
return this.createEditLink(
repo,
docsRepo,
docsDir,
docsBranch,
this.$page.relativePath
)
}
return null
},
editLinkText () {
return (
this.$themeLocaleConfig.editLinkText
|| this.$site.themeConfig.editLinkText
|| `Edit this page`
)
}
},
methods: {
createEditLink (repo, docsRepo, docsDir, docsBranch, path) {
const bitbucket = /bitbucket.org/
if (bitbucket.test(docsRepo)) {
const base = docsRepo
return (
base.replace(endingSlashRE, '')
+ `/src`
+ `/${docsBranch}/`
+ (docsDir ? docsDir.replace(endingSlashRE, '') + '/' : '')
+ path
+ `?mode=edit&spa=0&at=${docsBranch}&fileviewer=file-view-default`
)
}
const gitlab = /gitlab.com/
if (gitlab.test(docsRepo)) {
const base = docsRepo
return (
base.replace(endingSlashRE, '')
+ `/-/edit`
+ `/${docsBranch}/`
+ (docsDir ? docsDir.replace(endingSlashRE, '') + '/' : '')
+ path
)
}
const base = outboundRE.test(docsRepo)
? docsRepo
: `https://github.com/${docsRepo}`
return (
base.replace(endingSlashRE, '')
+ '/edit'
+ `/${docsBranch}/`
+ (docsDir ? docsDir.replace(endingSlashRE, '') + '/' : '')
+ path
)
}
}
}
</script>
<style lang="stylus">
@require '../styles/wrapper.styl'
.license
@extend $wrapper
font-weight 400
color #767676
.page-edit
@extend $wrapper
padding-top 1rem
padding-bottom 1rem
overflow auto
.edit-link
display inline-block
a
color lighten($textColor, 25%)
margin-right 0.25rem
.last-updated
float right
font-size 0.9em
.prefix
font-weight 500
color lighten($textColor, 25%)
.time
font-weight 400
color #767676
@media (max-width: $MQMobile)
.page-edit
.edit-link
margin-bottom 0.5rem
.last-updated
font-size 0.8em
float none
text-align left
</style>

3
docs/.vuepress/theme/index.js
View file

@ -1,3 +0,0 @@
module.exports = {
extend: "@vuepress/theme-default",
};

14
docs/.vuepress/theme/layouts/Draft.vue
View file

@ -1,14 +0,0 @@
<template>
<ParentLayout />
</template>
<script>
import ParentLayout from "@parent-theme/layouts/404.vue";
export default {
name: "Draft",
components: {
ParentLayout,
},
};
</script>

19
docs/.vuepress/theme/layouts/IndexPost.vue
View file

@ -1,19 +0,0 @@
<template>
<div>
<ul id="default-layout">
<li v-for="page in $pagination.pages">
<router-link class="page-link" :to="page.path">{{
page.title
}}</router-link>
</li>
</ul>
<div id="pagination">
<router-link v-if="$pagination.hasPrev" :to="$pagination.prevLink"
>Prev</router-link
>
<router-link v-if="$pagination.hasNext" :to="$pagination.nextLink"
>Next</router-link
>
</div>
</div>
</template>

120
docs/.vuepress/theme/layouts/Layout.vue
View file

@ -1,120 +0,0 @@
<template>
<div
class="theme-container"
:class="pageClasses"
@touchstart="onTouchStart"
@touchend="onTouchEnd"
>
<Navbar v-if="shouldShowNavbar" @toggle-sidebar="toggleSidebar" />
<div class="sidebar-mask" @click="toggleSidebar(false)"></div>
<Sidebar :items="sidebarItems" @toggle-sidebar="toggleSidebar">
<slot name="sidebar-top" slot="top" />
<slot name="sidebar-bottom" slot="bottom" />
</Sidebar>
<Home v-if="$page.frontmatter.home" />
<Page v-else :sidebar-items="sidebarItems">
<slot name="page-top" slot="top" />
<slot name="page-bottom" slot="bottom" />
</Page>
</div>
</template>
<script>
import Home from "@theme/components/Home.vue";
import Navbar from "@parent-theme/components/Navbar.vue";
import Page from "@parent-theme/components/Page.vue";
import Sidebar from "@parent-theme/components/Sidebar.vue";
import { resolveSidebarItems } from "../util";
export default {
components: { Home, Page, Sidebar, Navbar },
data() {
return {
isSidebarOpen: false,
};
},
computed: {
shouldShowNavbar() {
const { themeConfig } = this.$site;
const { frontmatter } = this.$page;
if (frontmatter.navbar === false || themeConfig.navbar === false) {
return false;
}
return (
this.$title ||
themeConfig.logo ||
themeConfig.repo ||
themeConfig.nav ||
this.$themeLocaleConfig.nav
);
},
shouldShowSidebar() {
const { frontmatter } = this.$page;
return (
!frontmatter.home &&
frontmatter.sidebar !== false &&
this.sidebarItems.length
);
},
sidebarItems() {
return resolveSidebarItems(
this.$page,
this.$page.regularPath,
this.$site,
this.$localePath
);
},
pageClasses() {
const userPageClass = this.$page.frontmatter.pageClass;
return [
{
"no-navbar": !this.shouldShowNavbar,
"sidebar-open": this.isSidebarOpen,
"no-sidebar": !this.shouldShowSidebar,
},
userPageClass,
];
},
},
mounted() {
this.$router.afterEach(() => {
this.isSidebarOpen = false;
});
},
methods: {
toggleSidebar(to) {
this.isSidebarOpen = typeof to === "boolean" ? to : !this.isSidebarOpen;
},
// side swipe
onTouchStart(e) {
this.touchStart = {
x: e.changedTouches[0].clientX,
y: e.changedTouches[0].clientY,
};
},
onTouchEnd(e) {
const dx = e.changedTouches[0].clientX - this.touchStart.x;
const dy = e.changedTouches[0].clientY - this.touchStart.y;
if (Math.abs(dx) > Math.abs(dy) && Math.abs(dx) > 40) {
if (dx > 0 && this.touchStart.x <= 80) {
this.toggleSidebar(true);
} else {
this.toggleSidebar(false);
}
}
},
},
};
</script>

8
docs/.vuepress/theme/styles/wrapper.styl
View file

@ -1,8 +0,0 @@
$wrapper
max-width $contentWidth
margin 0 auto
padding 2rem 2.5rem
@media (max-width: $MQNarrow)
padding 2rem
@media (max-width: $MQMobileNarrow)
padding 1.5rem

240
docs/.vuepress/theme/util/index.js
View file

@ -1,240 +0,0 @@
export const hashRE = /#.*$/
export const extRE = /\.(md|html)$/
export const endingSlashRE = /\/$/
export const outboundRE = /^[a-z]+:/i
export function normalize (path) {
return decodeURI(path)
.replace(hashRE, '')
.replace(extRE, '')
}
export function getHash (path) {
const match = path.match(hashRE)
if (match) {
return match[0]
}
}
export function isExternal (path) {
return outboundRE.test(path)
}
export function isMailto (path) {
return /^mailto:/.test(path)
}
export function isTel (path) {
return /^tel:/.test(path)
}
export function ensureExt (path) {
if (isExternal(path)) {
return path
}
const hashMatch = path.match(hashRE)
const hash = hashMatch ? hashMatch[0] : ''
const normalized = normalize(path)
if (endingSlashRE.test(normalized)) {
return path
}
return normalized + '.html' + hash
}
export function isActive (route, path) {
const routeHash = decodeURIComponent(route.hash)
const linkHash = getHash(path)
if (linkHash && routeHash !== linkHash) {
return false
}
const routePath = normalize(route.path)
const pagePath = normalize(path)
return routePath === pagePath
}
export function resolvePage (pages, rawPath, base) {
if (isExternal(rawPath)) {
return {
type: 'external',
path: rawPath
}
}
if (base) {
rawPath = resolvePath(rawPath, base)
}
const path = normalize(rawPath)
for (let i = 0; i < pages.length; i++) {
if (normalize(pages[i].regularPath) === path) {
return Object.assign({}, pages[i], {
type: 'page',
path: ensureExt(pages[i].path)
})
}
}
console.error(`[vuepress] No matching page found for sidebar item "${rawPath}"`)
return {}
}
function resolvePath (relative, base, append) {
const firstChar = relative.charAt(0)
if (firstChar === '/') {
return relative
}
if (firstChar === '?' || firstChar === '#') {
return base + relative
}
const stack = base.split('/')
// remove trailing segment if:
// - not appending
// - appending to trailing slash (last segment is empty)
if (!append || !stack[stack.length - 1]) {
stack.pop()
}
// resolve relative path
const segments = relative.replace(/^\//, '').split('/')
for (let i = 0; i < segments.length; i++) {
const segment = segments[i]
if (segment === '..') {
stack.pop()
} else if (segment !== '.') {
stack.push(segment)
}
}
// ensure leading slash
if (stack[0] !== '') {
stack.unshift('')
}
return stack.join('/')
}
/**
* @param { Page } page
* @param { string } regularPath
* @param { SiteData } site
* @param { string } localePath
* @returns { SidebarGroup }
*/
export function resolveSidebarItems (page, regularPath, site, localePath) {
const { pages, themeConfig } = site
const localeConfig = localePath && themeConfig.locales
? themeConfig.locales[localePath] || themeConfig
: themeConfig
const pageSidebarConfig = page.frontmatter.sidebar || localeConfig.sidebar || themeConfig.sidebar
if (pageSidebarConfig === 'auto') {
return resolveHeaders(page)
}
const sidebarConfig = localeConfig.sidebar || themeConfig.sidebar
if (!sidebarConfig) {
return []
} else {
const { base, config } = resolveMatchingConfig(regularPath, sidebarConfig)
return config
? config.map(item => resolveItem(item, pages, base))
: []
}
}
/**
* @param { Page } page
* @returns { SidebarGroup }
*/
function resolveHeaders (page) {
const headers = groupHeaders(page.headers || [])
return [{
type: 'group',
collapsable: false,
title: page.title,
path: null,
children: headers.map(h => ({
type: 'auto',
title: h.title,
basePath: page.path,
path: page.path + '#' + h.slug,
children: h.children || []
}))
}]
}
export function groupHeaders (headers) {
// group h3s under h2
headers = headers.map(h => Object.assign({}, h))
let lastH2
headers.forEach(h => {
if (h.level === 2) {
lastH2 = h
} else if (lastH2) {
(lastH2.children || (lastH2.children = [])).push(h)
}
})
return headers.filter(h => h.level === 2)
}
export function resolveNavLinkItem (linkItem) {
return Object.assign(linkItem, {
type: linkItem.items && linkItem.items.length ? 'links' : 'link'
})
}
/**
* @param { Route } route
* @param { Array<string|string[]> | Array<SidebarGroup> | [link: string]: SidebarConfig } config
* @returns { base: string, config: SidebarConfig }
*/
export function resolveMatchingConfig (regularPath, config) {
if (Array.isArray(config)) {
return {
base: '/',
config: config
}
}
for (const base in config) {
if (ensureEndingSlash(regularPath).indexOf(encodeURI(base)) === 0) {
return {
base,
config: config[base]
}
}
}
return {}
}
function ensureEndingSlash (path) {
return /(\.html|\/)$/.test(path)
? path
: path + '/'
}
function resolveItem (item, pages, base, groupDepth = 1) {
if (typeof item === 'string') {
return resolvePage(pages, item, base)
} else if (Array.isArray(item)) {
return Object.assign(resolvePage(pages, item[0], base), {
title: item[1]
})
} else {
const children = item.children || []
if (children.length === 0 && item.path) {
return Object.assign(resolvePage(pages, item.path, base), {
title: item.title
})
}
return {
type: 'group',
path: item.path,
title: item.title,
sidebarDepth: item.sidebarDepth,
children: children.map(child => resolveItem(child, pages, base, groupDepth + 1)),
collapsable: item.collapsable !== false
}
}
}

4105
docs/docs/CHANGELOG.md
View file

File diff suppressed because it is too large Load diff

62
docs/docs/architecture.md
View file

@ -1,62 +0,0 @@
---
title: Architecture
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: pomerium, architecture
---
# Architecture
## System Level
Pomerium sits between end users and services requiring strong authentication. After verifying identity with your identity provider (IdP), Pomerium uses a configurable policy to decide how to route your user's request and if they are authorized to access the service.
![pomerium architecture diagram](./img/pomerium-system-context.svg)
## Component Level
Pomerium is composed of 4 logical components:
- Proxy Service
- All user traffic flows through the proxy
- Verifies all requests with Authentication service
- Directs users to Authentication service to establish session identity
- Processes policy to determine external/internal route mappings
- Authentication Service
- Handles authentication flow to your IdP as needed
- Handles identity verification after initial Authentication
- Establishes user session cookie
- Stores user OIDC tokens in databroker service
- Authorization Service
- Processes policy to determine permissions for each service
- Handles authorization check for all user sessions
- Directs Proxy service to initiate Authentication flow as required
- Provides additional security related headers for upstream services to consume
- Data Broker Service
- Retrieves identity provider related data such as group membership
- Stores and refreshes identity provider access and refresh tokens
- Provides streaming authoritative session and identity data to Authorize service
- Stores session and identity data in persistent storage
In production deployments, it is recommended that you deploy each component [separately](/reference/readme.md#service-mode). This allows you to limit external attack surface, as well as scale and manage the services independently.
In test deployments, all four components may run from a [single binary and configuration](/reference/readme.md#all-in-one-vs-split-service-mode).
![pomerium architecture diagram](./img/pomerium-container-context.svg)
## Authentication Flow
Pomerium's internal and external component interactions during full authentication from a fresh user are diagramed below.
After initial authentication to provide a session token, only the authorization check interactions occur.
![pomerium architecture diagram](./img/pomerium-auth-flow.svg)

90
docs/docs/background.md
View file

@ -1,90 +0,0 @@
---
title: Background
lang: en-US
meta:
- name: keywords
content: pomerium, identity access proxy, beyondcorp, zero trust, reverse proxy, ztn, zta
---
# Background
## History
For years, security has been synonymous with the perimeter security model. This model relies on the strength of its outer defenses. That is, your corporate network is safe so long as your perimeter is impenetrable. Perimeter security typically incorporates tools like firewalls, network segmentation, and VPNs. But perimeter securitys shortcomings have become apparent as:
- Software is shipped differently now. Organizations now deploy code outside their perimeter, in public and private clouds.
- Workforce habits are changing. A majority of the global workforce now works remotely at least one day a week.
- Remote workers want an equivalent user-experience. Traditional tools for internal access like VPNs are clunky and frustrating to use.
- There are now many perimeters to secure and boundaries of the perimeter have become ephemeral and nebulous.
> Most networks [have] big castle walls, hard crunchy outer shell, and soft gooey centers...
>
> [Rob Joyce](https://en.wikipedia.org/wiki/Rob_Joyce) [Chief of Tailored Access Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations), [National Security Agency @ ENIGMA 2016](https://www.youtube.com/watch?v=bDJb8WOJYdA&feature=youtu.be&t=1627)
Most importantly, the model is just not as secure as we thought. Recent high-profile breaches have demonstrated how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many breaches, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by [hacking the HVAC system](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/) which was connected to the internal corporate network from which hackers were then able to move laterally and exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military known as [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora). After which, Google did a bottom up review of their security posture. The resulting actions from that review would be released as a [series of white papers](https://ai.google/research/pubs/pub43231) called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security.
> In reality, there's never one front door; there are many front doors...[and] ... we're not securing a single castle. We're starting to think about securing many different interconnected castles.
>
> [Armon Dadgar, Cofounder of HashiCorp @ PagerDuty Nov 2018](https://www.hashicorp.com/resources/how-zero-trust-networking)
The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of micro-services, and cloud computing where service communication requirements are constantly in flux.
In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure appropriate access controls. However, in practice, operators are usually pulled in the direction of one of two extremes. That is, either a very precise boundary that is high-touch, time-consuming to manage, and error prone. Or that of a more lax boundary that may entail more risk but is less time consuming to update, manage and less prone to break.
### Gaps in the perimeter
In summary, perimeter based security suffers from the following shortcomings:
- Perimeter security largely ignores the insider threat.
- The "impenetrable fortress" model fails in practice even for the most sophisticated of security organizations.
- Network segmentation is a time-consuming, and difficult to get exactly right mechanism for ensuring secure communication.
- Even just defining what the network perimeter is is an increasingly difficult proposition in a remote-work, BYOD, multi-cloud world. Most organizations are a heterogeneous mix of clouds, servers, devices, and organizational units.
- VPNs are often misused and exacerbate the issue by opening yet another door into your network organization.
### Zero Trust
[Zero trust](https://ldapwiki.com/wiki/Zero%20Trust) instead attempts to mitigate these shortcomings by adopting the following principles:
- Trust flows from identity, device-state, and context; not network location.
- Treat both internal and external networks as untrusted.
- Act like you are already breached, because you probably are.
- Every device, user, and application's communication should be authenticated, authorized, and encrypted.
- Access policy should be dynamic, and built from multiple sources.
To be clear, _perimeter security is not defunct_, nor is zero trust security a panacea or a single product. Many of the ideas and principles of perimeter security are still relevant and are part of a holistic, and wide-ranging security policy. After all, we still want our castles to have high walls.
## Further reading
The zero trust security model was first articulated by [John Kindervag](http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf) in 2010, and by Google in 2011 as a result of the [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora) breach. What follows is a curated list of resources that covers the topic in more depth.
### Government Recommendations
- NIST SP 800-207 (DRAFT) [Zero Trust Architecture](https://doi.org/10.6028/NIST.SP.800-207-draft)
- UK National Cyber Security Centre [Zero trust architecture design principles](https://github.com/ukncsc/zero-trust-architecture/)
### Books
- [Zero Trust Networks](http://shop.oreilly.com/product/0636920052265.do) by Gilman and Barth
### Papers
- Forrester [Build Security Into Your Network's DNA: The Zero Trust Network Architecture](http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf)
- Google BeyondCorp 1 [An overview: "A New Approach to Enterprise Security"](https://research.google.com/pubs/pub43231.html)
- Google BeyondCorp 2 [How Google did it: "Design to Deployment at Google"](https://research.google.com/pubs/pub44860.html)
- Google BeyondCorp 3 [Google's front-end infrastructure: "The Access Proxy"](https://research.google.com/pubs/pub45728.html)
- Google BeyondCorp 4 [Migrating to BeyondCorp: Maintaining Productivity While Improving Security](https://research.google.com/pubs/pub46134.html)
- Google BeyondCorp 5 [The human element: "The User Experience"](https://research.google.com/pubs/pub46366.html)
- Google BeyondCorp 6 [Secure your endpoints: "Building a Healthy Fleet"](https://ai.google/research/pubs/pub47356)
### Posts
- Google [How Google adopted BeyondCorp](https://security.googleblog.com/2019/06/how-google-adopted-beyondcorp.html)
- Wall Street Journal [Google Moves Its Corporate Applications to the Internet](https://blogs.wsj.com/cio/2015/05/11/google-moves-its-corporate-applications-to-the-internet/)
- Gitlab's [Blog series](https://about.gitlab.com/blog/tags.html#zero-trust) and their [reddit AMA](https://www.reddit.com/r/netsec/comments/d71p1d/were_a_100_remote_cloudnative_company_and_were/)
### Videos
- [USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers](https://youtu.be/bDJb8WOJYdA?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf)
- [What, Why, and How of Zero Trust Networking](https://youtu.be/eDVHIfVSdIo?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Armon Dadgar, Hashicorp
- [O'Reilly Security 2017 NYC Beyondcorp: Beyond Fortress Security](https://youtu.be/oAvDASLehpY?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Neal Muller, Google
- [Be Ready for BeyondCorp: enterprise identity, perimeters and your application](https://youtu.be/5UiWAlwok1s?list=PLKb9-P1fRHxhSmCy5OaYZ5spcY8v3Pbaf) by Jason Kent

85
docs/docs/community/code-of-conduct.md
View file

@ -1,85 +0,0 @@
---
title: Code of Conduct
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: pomerium, community, contributing, code of conduct
---
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
- Using welcoming and inclusive language
- Being respectful of differing viewpoints and experiences
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
- Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
- The use of sexualized language or imagery and unwelcome sexual attention or
advances
- Trolling, insulting/derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or electronic
address, without explicit permission
- Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies within all project spaces, and it also applies when
an individual is representing the project or its community in public spaces.
Examples of representing a project or community include using an official
project e-mail address, posting via an official social media account, or acting
as an appointed representative at an online or offline event. Representation of
a project may be further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at info@pomerium.io. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see
https://www.contributor-covenant.org/faq

95
docs/docs/community/contributing.md
View file

@ -1,95 +0,0 @@
---
title: Contributing
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: pomerium, community, contributing, pr, code
description: >-
This document describes how you can find issues to work on, fix/add
documentation, and how setup Pomerium for local development.
---
# Contributing
First of all, thank you for considering contributing to Pomerium! You can have a direct impact on Pomerium by helping with its code or documentation. To contribute to Pomerium, open a [pull request](https://github.com/pomerium/pomerium/pulls) (PR). If you're new to our community, that's okay: **we gladly welcome pull requests from anyone, regardless of your native language or coding experience.**
## General
We try to hold contributions to a high standard for quality, so don't be surprised if we ask for revisions--even if it seems small or insignificant. Please don't take it personally. If your change is on the right track, we can guide you to make it mergeable.
Here are some of the expectations we have of contributors:
- If your change is more than just a minor alteration, **open an issue to propose your change first.** This way we can avoid confusion, coordinate what everyone is working on, and ensure that changes are in-line with the project's goals and the best interests of its users. If there's already an issue about it, comment on the existing issue to claim it.
- **Keep pull requests small.** Smaller PRs are more likely to be merged because they are easier to review! We might ask you to break up large PRs into smaller ones. [An example of what we DON'T do.](https://twitter.com/iamdevloper/status/397664295875805184)
- **Keep related commits together in a PR.** We do want pull requests to be small, but you should also keep multiple related commits in the same PR if they rely on each other.
- **Write tests.** Tests are essential! Written properly, they ensure your change works, and that other changes in the future won't break your change. CI checks should pass.
- **Benchmarks should be included for optimizations.** Optimizations sometimes make code harder to read or have changes that are less than obvious. They should be proven with benchmarks or profiling.
- **[Squash](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html) insignificant commits.** Every commit should be significant. Commits which merely rewrite a comment or fix a typo can be combined into another commit that has more substance. Interactive rebase can do this, or a simpler way is `git reset --soft <diverging-commit>` then `git commit -s`.
- **Own your contributions.** Pomerium is a growing project, and it's much better when individual contributors help maintain their change after it is merged.
- **Use comments properly.** We expect good godoc comments for package-level functions, types, and values. Comments are also useful whenever the purpose for a line of code is not obvious.
- **Recommended reading**
- [CodeReviewComments](https://github.com/golang/go/wiki/CodeReviewComments)
- [Linus Torvalds describes a good commit message](https://gist.github.com/matthewhudson/1475276)
- [Best Practices for Maintainers](https://opensource.guide/best-practices/)
- [Shrinking Code Review](https://alexgaynor.net/2015/dec/29/shrinking-code-review/)
## Docs
Pomerium's documentation is available at <https://www.pomerium.io/docs>. If you find a typo, feel a section could be better described, or have an idea for a totally new application or section, don't hesitate to make a pull request change. There are few ways you can do this.
### Simple edits
The easiest way to fix minor documentation issues in Pomerium is to click on "Edit this page in Github" on any page.
![edit this page link](./img/contributing-edit-this-page.png)
Doing so will create a [fork](https://help.github.com/en/articles/fork-a-repo) of the project, allow you to [update the page](https://guides.github.com/features/mastering-markdown/), and create a [pull request](https://help.github.com/en/articles/about-pull-requests).
![edit this page link using github](./img/contributing-edit-this-page-github.png)
### Bigger changes
If you need to add a new page, or would like greater control over the editing process you can edit the docs similar to how you would make changes to the source code.
#### Pre-reqs
We use [VuePress](https://vuepress.vuejs.org) to generate our docs. Vuepress is a simple, [markdown](https://v1.vuepress.vuejs.org/config/#markdown) and [Vue.js](https://v1.vuepress.vuejs.org/config/#markdown) based static site generator. Before building the docs, you'll need to install the following pre-requisites.
1. [Node.js](https://nodejs.org/en/download/).
2. [Yarn](https://yarnpkg.com/lang/en/docs).
#### Make changes
Once you have Nodejs and Yarn installed, simply run `make docs` in a terminal which will install any required node packages as well as start up a development server. You should see something like the below, with a link to the local doc server.
```bash
success [19:02:54] Build f9f5f7 finished in 246 ms! ( http://localhost:8081/ )
```
Once you have the development server up and running, any changes you make will automatically be reloaded and accessible in your browser.
To add a new document, simply add a new file with the `.md` markdown extension. For example, this document would be `docs/community/contributing.md`.
To add a new document to the side or top-bar navigation, see `docs/.vuepress/config.js` and add that document to the desired section.
### PR Previews
We use [Netlify](https://www.netlify.com) to build and host our docs. One of nice features of Netlify, is that a preview of the docs are automatically created for each new pull request that is made, which lets you be sure that the version of your docs that you see locally match what will ultimately be deployed in production.
[configuration variables]: ../../reference/readme.md
[download]: https://github.com/pomerium/pomerium/releases
[environmental configuration variables]: https://12factor.net/config
[verify]: https://verify.pomerium.com/
[identity provider]: ../identity-providers/readme.md
[make]: https://en.wikipedia.org/wiki/Make_(software)
[tls certificates]: ../topics/certificates.md

BIN
docs/docs/community/img/contributing-edit-this-page-github.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 84 KiB

BIN
docs/docs/community/img/contributing-edit-this-page.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 314 KiB

BIN
docs/docs/community/img/local-development-osx-dns.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 78 KiB

46
docs/docs/community/readme.md
View file

@ -1,46 +0,0 @@
---
title: Overview
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: pomerium, community, help, bugs, updates, features
description: >-
This document describes how you users can stay up to date with pomerium,
report issues, get help, and suggest new features.
---
# Community
## Get updates
- [Pomerium-announce](https://groups.google.com/forum/#!forum/pomerium-announce) is a low traffic mailing list for important releases and security announcements.
- Follow us on Twitter [@pomerium_io](https://twitter.com/pomerium_io) or [LinkedIn](https://www.linkedin.com/company/pomerium-inc) for the latest updates and industry news.
- Check out our forum, [Discuss](https://discuss.pomerium.com/), where the community explores Pomerium's uses and shares their best practices.
- Want updates delivered directly to your inbox? Sign up for our newsletter here:
<Newsletter />
## Get help
For general help and configuration questions, discussions about integrations or complex setups, or anything else related to Pomerium, head to our [Discuss](https://discuss.pomerium.com/) forum, where you can search for open threads or start a new one.
We prefer to communicate in Discuss so that answers can be indexes and easy to find for others. If a specific issue requires a faster back and forth to find a resolution, we may ask to move the discussion to [our slack channel](https://slack.pomerium.io).
## Report bugs
Like every software, Pomerium has its flaws. If you find one, [search the issues](https://github.com/pomerium/pomerium/issues) to see if it has already been reported. If not, [open a new issue](https://github.com/pomerium/pomerium/issues/new) and describe the bug, and somebody will look into it!
Please follow the issue template so we have all the needed information. We need to be able to repeat the bug using your instructions. Please simplify the issue as much as possible. The more detailed and specific you are, the faster we will be able to help you!
We suggest reading [How to Report Bugs Effectively](http://www.chiark.greenend.org.uk/~sgtatham/bugs.html).
## Suggest features
First, search to see if your feature has already been requested on [GitHub](https://github.com/pomerium/pomerium/issues) or [Discuss](https://discuss.pomerium.com/). If it has, you can add a :+1: reaction to vote for it. If your feature idea is new, open an issue to request the feature. You don't have to follow the bug template for feature requests. Please describe your idea thoroughly so that we know how to implement it! Really vague requests may not be helpful or actionable and without clarification will have to be closed.
While we really do value your requests and implement many of them, not all features are a good fit for Pomerium. If a feature is not in the best interest of the Pomerium project or its users in general, we may politely decline to implement it.

193
docs/docs/community/security.md
View file

@ -1,193 +0,0 @@
---
title: Security
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: pomerium, security, disclosure, vulnerabilities
---
# Security Policy
## Security & Threat model
As a context-aware access proxy, Pomerium's security model holds data confidentiality, integrity, accountability, authentication, authorization, and availability as the highest priority concerns. This page outlines Pomerium's security goals and threat model.
Pomerium's threat model includes:
- **Validating authentication.** Though not itself an Identity Provider, Pomerium incorporates Single-Sign-On flow with third party providers to delegate authentication, and populate identity details for authorization decisions. Pomerium ensures that a request is backed by a valid user session from a trusted Identity Provider.
- **Enforcing authorization.** Pomerium ensures that only authorized users can access services, or applications to which they are entitled access.
- For HTTP based services, authorization will be made on a per request basis.
- Otherwise, for TCP based services, authorization will be made on a per session basis.
- **Protecting data in transit**. All communication is encrypted and mutually authenticated when certificates are provided. This applies to communication between:
- Pomerium and its services.
- Pomerium and upstream services and applications.
- Pomerium and downstream clients (e.g. user's browser or device).
- Pomerium and the databroker's storage system.
- **Protecting data at rest**. Sensitive data is encrypted. This applies to all data in the databroker including:
- Session, user, and directory data; as well as any other identity or contextual data.
- Service secrets (TLS certificates, Identity provider credentials)
- **Ensuring availability**. Pomerium aims to be fault tolerant, and horizontally scalable. Pomerium inherits [Envoy's availability threat model](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/threat_model#confidentiality-integrity-and-availability).
- **Providing auditability and accountability**. Pomerium provides logs with associated context for auditing purposes.
Pomerium's threat model does not include:
- Protecting against arbitrary control of a trusted third-party provider. For instance, if your identity provider is hacked, an attacker can impersonate a user in Pomerium.
- Protecting against memory analysis of a running Pomerium instance. If an attacker can attach a debugger to a running instance of Pomerium, they can inspect confidential data in flight.
- Protecting against arbitrary control of the storage backend. If an attacker controls your database, they can corrupt data.
- Protecting an upstream application's internal access control system.
- Protecting against physical access.
### Cryptography
Pomerium uses cryptography to secure data in transit, at rest, and to provide guarantees around confidentiality, authenticity, and integrity between its services and upstreams it manages access for.
Encryption at rest:
- Confidential data stored at rest is encrypted using the [authenticated encryption with associated data](https://en.wikipedia.org/wiki/Authenticated_encryption) construction [XChaCha20-Poly1305](https://libsodium.gitbook.io/doc/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction) with 196-bit nonces. Nonces are randomly generated for every encrypted object. When data is read, the authentication tag is checked for tampering.
Encryption in transit:
- Data in transit is protected by Transport Layer Security ([TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security)). See our lab's [SSL Labs report](https://www.ssllabs.com/ssltest/analyze.html?d=authenticate.demo.pomerium.com&latest) .
- For downstream TLS (connections from the user's client to Pomerium)
- The minimum accepted version of TLS is 1.2.
- For TLS 1.2, the following cipher suites are offered, in this order:
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- The following elliptic curves are offered, in this order:
- X25519
- secp256r1
- For upstream TLS (connections from Pomerium to the application or service)
- The minimum accepted version of TLS is 1.2.
- For TLS 1.2, the following cipher suites are supported:
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- AES128-GCM-SHA256
- AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- AES256-GCM-SHA384
- AES256-SHA
- The following elliptic curves are supported:
- X25519
- P-256
- P-384
- P-521
- [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS) with a long duration is used by default.
- [Mutually authenticated](https://en.wikipedia.org/wiki/Mutual_authentication) TLS is used when client side certificates are provided.
## Receiving Security Updates
The best way to receive security announcements is to subscribe to the [pomerium-announce](https://groups.google.com/g/pomerium-announce) mailing list. Any messages pertaining to a security issue will be prefixed with [security].
## Disclosure Process
In general, Pomerium follows [Go's security policy](https://golang.org/security) and uses the following disclosure process:
1. Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process.
2. The issue is confirmed and a list of affected software is determined.
3. Code is audited to find any potential similar problems.
4. Fixes are prepared for the most recent major releases and the head/main revision.
5. When the fixes are applied, announcements are sent to [pomerium-announce](https://groups.google.com/g/pomerium-announce).
This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.
## Reporting a Security Bug
Please notify us of any potential vulnerability discovered in Pomerium. We will work with you to resolve the issue promptly. Thank you for helping to keep Pomerium and our users safe! Though at this time we do not have a paid bug bounty program, we deeply appreciate any effort to discover and disclose security vulnerabilities responsibly.
All security bugs in Pomerium should be reported by email to security@pomerium.com . Your email will be acknowledged within 48 hours, and you'll receive a more detailed response to your email within 72 hours indicating the next steps in handling your report. This response policy applies only to Pomerium itself, not to our marketing or docs sites.
While researching, we'd like you to refrain from:
- Any form of Denial of Service (DoS)
- Spamming
- Social engineering or phishing of Pomerium employees or contractors
- Any attacks against Pomerium's physical property or data centers
We may revise these guidelines from time to time. The most current version of the guidelines will be available at <https://pomerium.com/docs/community/security>.
Though we accept PGP-encrypted email, please only use it for critical security reports.
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org
xsFNBFuDBCsBEADmvRj1ooWDgyisMiyUvOIFq2l52r2gD2bo6I9RyZUFCm5CO0Ye
rk4POVtG/NPwbvd4dSmA7ePQLWNoMx4bN42B4EUJgqh+U82NKu0qU4eVeew4x+w1
bNmsqa0ZdoSMqONofFoD/ImepOVkZx56LPIJ7hb4/JlYnpPFlphfj06bf8JEqcGI
WgvJcZdXhSS2RDkSfC34EXps6w9aWmgDZKWz56YRcTVPzGJuGw1mfJLL1F9NQq/g
nzW82j+Z9bjVdeVLuEH3QBuKoviyVoIjIJvSCtb92151PMsvRTFpeTbp45Lep+xc
RVGEKhXPW7AA9n3Q57Y0cxWKgSE0agnsjpzUOTMbwl3VyxuwWyxuP2JpGGXXiX9y
4uE27FOb2u8N8WbTVueTKNs2QgqukKcg0XX7b2UpWX4OkhD/U5Nbh3jAvZ9COoK5
TIb/NgJqnMo/ReKFRA8IgXIoKeGn/WJJCe6nPAo+6c+glam9xekHbdH/9PQ5eSOf
lMfzgNXd2OOLYK98KQpRqWIdMqWlt3Ufik+cbsfCnaK9rK4ktiYZdiDHK+Lp7V71
Ng45o/sHnnSjvYKlhBn5EcdpVXw6IKrUW9OUD7l/sga+xa0MMmUF4C2VxYJ+n6Qg
bRZaREvKLbhsqycmq4p+oBpSjyWgP4CRPHkG03PYNFA1/cg7sFUUekmehQARAQAB
zShCb2JieSBEZVNpbW9uZSA8Ym9iYnlkZXNpbW9uZUBnbWFpbC5jb20+wsF4BBMB
CAAsBQJbgwQrCRCu5M8S/obQfgIbAwUJHhM4AAIZAQQLBwkDBRUICgIDBBYAAQIA
AHd0EABezUgLsjeCLDK3JG4VkJkvDAZNKLtzEjZ2pdexWjzREgYvu42d3QNM3fKI
kW6TTb7C08BsiijGaUqtZUCyqH/dN24jw5a4nKKbnqylDUr2XCpWwKVbsF4t+BXR
jADJeRLP+cMbHhLb8CindOo2ZRrzMp912454sCGKw3c27P5NTKJcO9WGArQ39MEl
C2MqIQREdBrkfQsXK7rz26SSqlyrNl7NQDmKRMZLciaibgEP4rfycqierqcDZiTP
2xxTckB4tV3K5ki3s5NV+cYnq38efmUxygnU8wlzbcv9MukvAOLLLKEiSxBzgpZb
ddr8QC/ljmvzGm2qKQFCjBaV4wtk1n6xZ8AjjpP8irxFQwwCxwNEIwx6vt3NQNxm
qL8KXVn617mOc6iS9BvZVzcBzXUh8geIDt7Chqil8kUuPiCpVpY63z+phLHcAen/
NHFJ3OE/CbUcBsw0xDfKF+NWp7hQjbk5lV1ueXV2FTJ/SISEvuJ64CELzCPzGwwE
7Gb0zwOeIMBAJMrPEt+YByu0dxa9vjcgOLeaRzuADtRvJCl3UjoXDC8Vdii1ywBM
wkZcvfW51MOiiKFadZsYjzgBFIJ9rybXyxx8kfzTMpcmGLa7v2zp1+ANZm4Wwb8Z
zJgU+MLlbjJcXIqbdhjC7cgL/1YitXWw1ELDP4F8taV4aWK62M7BTQRbgwQrARAA
pza3CTXb5GUKeBM8YB1Wv5MIauL/bfpCZo3ujhJaN87XtRBQXMfDyznCThz5vraZ
HWpvLQcsaJoMPbC7UbUl2l9yiCCd0y4/b2czzpA1P4rTa6FrSWl4xFi+WLlPiCls
m7xEizBU0PcqsDEGX61o+S2Iiay2jjpOGlDNs3z6gyyGNvjjRd2aRjAACGqqOH75
J+6a4dwISUQ9zP+JkWsmgSZw10PhS4LemXUN2XyIMbJdWKbej8vPjyFXgwjKkBT5
/RCgNGeE+hji/p22DhTIsCOMzVW6nch9B6uXMtpbqtily+hqYkhT9Ke6fInniafN
N8DuFH7YIixbWx9+kg8kRKAknMuqWS/u2d6QZD8lI6uUDO4/EuCaek/oCmJ8aQ+x
kQNMYRbnVlDQ+/WYepnF6nsQgsDELcAJAkNMXm0jnfcfCtZNuh79H6b1yvrPTkB0
2uawLA0NvdVKpv9ZPZy7RLoytVspYUA+T0khcSozzBcjyE9jvd7bic+biIeXyYe2
Zu3KevuvsiLEvifhjAg0FbML/GOYZbayxpe1IWiqzRsq/UX+2E8PJV2NuqbFOj8U
93Jgol+Ag8JAsmnFrJCtKs5diDOS/wd+hljZyuWcWQCaahsFoKMV1ayoVbOJ1XWU
3PAh30enHcGeIg6sV32xhYBO7mTnX51VybRRMAtd4hMAEQEAAcLBdQQYAQgAKQUC
W4MEKwkQruTPEv6G0H4CGwwFCR4TOAAECwcJAwUVCAoCAwQWAAECAACNdxAA3s5s
mvlKZrm5dfBqzCNDQtJtqqFkcOBCNhMKsJKn81YKsvT0yHsj6rfO5hL2uu6NKjkR
K1Dn9IAR2wBt0pJy2bJo9HGfqAxb0JaC6Rgu/MoEYTcRbGUl3N6ywBAUFJ31Ou5F
chzDrJJ37kLjTTHxkW8UXlVZWRs+jVwTTjWL96UXVxYdndeAAxLgceRy0h2h00xF
PoVsjEpoek+yaHhmLWC3wSZ0jveGcB0pT9BI7D/9FZVHQ0DPzlYaXT6eZSLv+5BE
dr+Gv4iwJ0DLF6tHl7bEm1O2iS3PyU59Fu5GOV2R6b/NRW+pYUwZhFz3zQ7GkUJE
V+XBOMUFq5VduuzXZKSmlqr4SSx9SvcDiH7eRjNTX4Hzb+VcWKS/bvSS0efwz5AW
Q9zObT1B/c889rPoiTIDXI4qOhzPmeva89QceRo04QXzi8fujRJoAmqdzW8uiiKO
Edk1J5rzMkfEHMVf1l8z390qNy3VAk++mqQe8ZS2W7/ulNzNt3Gwx54rdOEe5pIl
2QSGEwZgg6zX7C94xlqnxp84axNQghWJfBolMcp0q/yDFjbnRzd2vLUhtzEAosd4
VDw98WyFTbRTTN8ElRptLUsa73raYpKRXN17vB517spEghyT1oyCdHYgaqvRkU7b
ZDRB+exOyJJypi2cSaarxiI2gaMT2wp+dChnQ4k=
=LGUI
-----END PGP PUBLIC KEY BLOCK-----
```

120
docs/docs/glossary.md
View file

@ -1,120 +0,0 @@
---
title: Glossary
lang: en-US
meta:
- name: keywords
content: pomerium, identity access proxy, beyondcorp, zero-trust, reverse proxy, ztn, zta, zero trust, glossary, terms, definitions
description: A quick reference of commonly used terms.
---
# Glossary
Pomerium's documentation uses a lot of terminology specific to the networking and security space. This glossary defines common terms readers may be unfamiliar with. If you come across an unfamiliar term not listed in this page, please let us know in our [Discuss support forum][support] and we'll add it.
[[toc]]
## General
### Access Token
This general term refers to a string that validates the holder to have a specific set of permissions, issued by an identifying service like an [identity provider]. Most of the access tokens discussed in our docs are [JSON Web Tokens (**JWTs**)][JWT] formatted following the [Oauth 2.0 RFC](https://datatracker.ietf.org/doc/html/rfc6749#section-7.1).
### Context-aware Proxy
A [proxy](https://en.wikipedia.org/wiki/Proxy_server) is an intermediate service between one or more clients or servers. Most of the proxies discussed in our docs are technically [reverse proxies](https://en.wikipedia.org/wiki/Reverse_proxy), sitting between one or more servers and all clients, providing a single point of ingress into a system.
An context-aware proxy can provide contextual access to specific services based on the identity of the client and the state of the device they are using. Using Pomerium, context is provided by the client in the form of a [JWT] issued by the [identity provider], and optionally by the device using a [secure enclave].
### Identity Provider
An identity provider (**IdP**) is used to [authenticate] a user, i.e. confirm their identity. Pomerium uses external IdPs to better integrate into existing environments and to achieve strong separation of services. Pomerium provides [single sign-on] from your IdP to your entire network infrastructure from a single location.
### JavaScript Object Notation
Commonly shortened to **JSON**, [JavaScript object notation](https://en.wikipedia.org/wiki/JSON) is a common format used to represent and share structured sets of data as arrays of key-value pairs.
### JSON Web Key Sets
Usually abbreviate as **JWKS**, this is a [JSON]-formatted set of one or more keys provided by a trusted issuer and used by service to verify [JWTs] provided by a client. Formatting is defined by the [JSON Web Key RFC](https://datatracker.ietf.org/doc/html/rfc7517).
### JSON Web Token
Often referred to as **JWTs**, a JSON web token is a [JSON]-formatted string provided to a user by an [identity provider], which validates the user's identity to subsequent services (such as a [context-aware proxy]). JWTs are formatted according to the [JSON Web Token RFC](https://datatracker.ietf.org/doc/html/rfc7519)
### Namespace
"Namespaces" is an over-saturated term, having different meanings in different contexts. [Pomerium Enterprise][pom-namespace] uses Namespaces to provide separation of access and control to [routes]. Kubernetes uses their [namespaces][k8s-namespace] to isolate groups of resources within a cluster.
### Perimeter
The term "Perimeter" in the context of Pomerium and general networking usually refers to your internal network, and common tools like firewalls used to restrict access to it. [Historically](/docs/background.md#history), most security models used the perimeter as the main layer of protection to a network system. The principles of [zero trust] assume that the perimeter can be (and likely is) compromised, and require security between each connection, including those between internal services.
### Policy
Pomerium allows administrators to define authorization policies dictating what combination of users, groups, devices, etc, have access to protected services. Open-source Pomerium defines a unique policy to every [route], while Pomerium Enterprise can define reusable policies at the global and [namespace] level.
### Route
Specific to Pomerium, a route is a defined path from outside the network (via a public domain) to an internal service. Routes can be defined in the [configuration](/reference/readme.md#routes) for open-source Pomerium or the [Pomerium Enterprise Console][pom-routes].
### Single Sign-On
Single Sign-On (**SSO**) is the most frequently asked for requirement by enterprise organizations looking to adopt new SaaS applications. SSO enables authentication via an organizations [identity provider], such as [Google Workspace](/docs/identity-providers/google.md) or [Okta](/docs/identity-providers/okta.md), as opposed to users or IT admins managing hundreds, if not thousands, of usernames and passwords.
### Stateless
Another overloaded term in the tech space, we use the term stateless when talking about Pomerium's Proxy, Authenticate, and Authorize [components](/docs/architecture.md#component-level). They are stateless because they rely on the Databroker component to provide persistent data. This means that the other services can be destroyed, recreated, and scaled horizontally without any data loss.
## Networking
### Custom Resource Definition
A custom resource definition (**CRD**) defines a custom resource that extends the Kubernetes API to provide additional functionality specific to a custom software set. For example, [cert-manager](https://cert-manager.io/) defines certificate issuers [using a CRD](https://github.com/cert-manager/sample-external-issuer/blob/main/config/crd/bases/sample-issuer.example.com_issuers.yaml).
### East-west Traffic
[East-west traffic](https://en.wikipedia.org/wiki/East-west_traffic) refers to network communication between services within an internal network, Kubernetes cluster, private cloud network, etc. This term differentiates this communication from [north-south traffic].
### HTTP Strict Transport Security
Usually shortened to **HSTS**, this is a policy whereby a site secured with [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) provides a response header defining a period of time (usually set to a year or more) during which the browser should only access the server over TLS, and only when it provides the same certificate. This policy helps mitigate man-in-the-middle (**MiTM**) attacks. We suggest only defining an HSTS policy after a service has been fully configured and tested to avoid issues when switching from development to production certificates.
### North-south Traffic
[North-south traffic](https://en.wikipedia.org/wiki/North-south_traffic) refers to network communication from end users to services within an internal network, Kubernetes cluster, private cloud network, etc. This term differentiates this communication from [east-west traffic].
### Upstream / Downstream
When discussing traffic between end users and services, we use "upstream" to refer to the services and/or service mesh that Pomerium protects & secures. Inversely, "downstream" refers to traffic between Pomerium and end users, or any other party connecting from the Internet.
## Security
### Authentication
Abbreviated as **AuthN**, this refers to the validation of a user's identity. It can also refer to validation of an user's [device](/docs/topics/device-identity.md). Access to a protected resource is usually granted only after a client's authentication and [authorization] are validated. This is usually done by verifying the [JWT] provided by the client.
### Authorization
Abbreviated as **AuthZ**, authorization is the process of validating a client's access to a protected resource. This is usually done after a client as been [authenticated], and is determined by comparing the contents of the clients [JWT] against the [policies] present for the [route].
### Least User Privilege
"Least user privilege" is a core concept of the [zero trust] model. It's the practice of only providing a user as much access to protected systems as is required for them to operate in their job's function. This is a risk-mitigation strategy; since compromised user credentials can only be used to access services they are granted access to, users that do not need access to highly sensitive services should not have them.
### Mutual Authentication
Mutual authentication is the security strategy of having both sides of a connection validate the identity of the other. This reduces the possibility of bad actors to impersonate valid communication endpoints. This topic is discussed in detail in [Mutual Authentication: A Component of Zero Trust](/docs/topics/mutual-auth.md).
### Secure Enclave
A Secure Enclave is a sub-component or device physically bound to a specific device that can safely store sensitive data used to validate [device identity](/docs/topics/device-identity.md).
### Security Keys
Security keys are often used to provide a physical resource to perform multi-factor authentication (**MFA**). Common examples include Yubico's Yubikey and Google's Titan Security Key.
### Trusted Execution Environment
A **TEE** is a physical method of executing cryptographic functions using data that cannot be accessed by the rest of the physical device. This is a core part of [device identity](/docs/topics/device-identity.md) validation.
### Zero Trust
Zero trust is a philosophy and/or framework for security models that includes several facets. We go into detail in our [Background](/docs/background.md#zero-trust) page, but briefly: zero-trust assumes that any one method of security is fallible, and defines a set of security principles that work in concert to provide the highest security without over-burdening administrators, end users, or network devices with extraneous overhead.
[authenticate]: #authentication
[authenticated]: #authentication
[authorization]: #authorization
[east-west traffic]: #east-west-traffic
[identity provider]: #identity-provider
[context-aware proxy]: #context-aware-proxy
[JSON]: #javascript-object-notation
[JWT]: #json-web-token
[JWTs]: #json-web-token
[k8s-namespace]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
[namespace]: #namespace
[north-south traffic]: #north-south-traffic
[policies]: #policy
[Pomerium Enterprise]: /enterprise/about.md
[pom-namespace]: /enterprise/concepts.md#namespaces
[pom-routes]: /enterprise/concepts.md#routes
[route]: #route
[routes]: #route
[secure enclave]: #secure-enclave
[single sign-on]: #single-sign-on
[support]: https://discuss.pomerium.com/c/support/9
[zero trust]: #zero-trust

106
docs/docs/identity-providers/auth0.md
View file

@ -1,106 +0,0 @@
---
title: Auth0
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: auth0, pomerium, identity provider, idp
---
# Auth0
This page documents configuring an [Auth0] Web Application and Machine to Machine Application for Pomerium to read user data. It assumes you have already [installed Pomerium](/docs/install/readme.md).
::: warning
While we do our best to keep our documentation up to date, changes to third-party systems are outside our control. Refer to [Applications in Auth0](https://auth0.com/docs/applications) from Auth0's docs as needed, or [let us know](https://github.com/pomerium/pomerium/issues/new?assignees=&labels=&template=bug_report.md) if we need to re-visit this page.
:::
[Log in to your Auth0 account](https://manage.auth0.com/) and head to your dashboard. Select **Applications → Applications** on the left menu. On the Applications page, click the **Create Application** button to create a new app.
![Auth0 Applications Dashboard](./img/auth0/dashboard.png)
## Create Regular Web Application
1. On the **Create New Application** page, name your application and select the **Regular Web Application** for your application. This is the application that your users will login to.
![Auth0 Create Application Select Platform](./img/auth0/create.png)
1. Under the **Settings** tab, note the **Domain**, **Client ID**, and **Client Secret** values. We'll provide these to Pomerium at the end of the process.
1. Provide the following information for your application settings:
| Field | Description |
| ---------------------------- | ------------------------------------------------------------------------- |
| Name | The name of your application. |
| Application Login URI | [Authenticate Service URL] (e.g. `https://${authenticate_service_url}`) |
| Allowed Callback URLs | Redirect URL (e.g. `https://${authenticate_service_url}/oauth2/callback`).|
1. Under **Advanced Settings****OAuth**, confirm that **JSON Web Token (JWT) Signature Algorithm** is set to "RS256".
1. Click **Save Changes** at the bottom of the page when you're done.
## Service Account
Next, we'll create an application to handle machine-to-machine communication from Pomerium to Auth0 in order to retrieve and establish group membership.
::: tip
Auth0 refers to groups as roles.
:::
1. Repeat the process in step 1 above to create a new application, but this time select **Machine to Machine Application**. A different application is used for grabbing roles to keep things more secure.
![Auth Create Application Select Service Account Platform](./img/auth0/create-m2m.png)
Click **Create**.
1. On the next page select **Auth0 Management API** from the dropdown. Under **Permissions** use the filter on the right to narrow things down to `role`, and choose the `read:roles` and `read:role_members` roles.
![Auth0 Management API Scopes](./img/auth0/m2m-scopes.png)
Then click **Authorize**.
1. Just like the previous step, retrieve the **Client ID** and **Client Secret** from the **Settings** tab. To build the `idp_service_account` value for Pomerium's configuration, you must base64-encode a JSON document containing the **Client ID** and **Client Secret** of the application:
```json
{
"client_id": "...",
"secret": "..."
}
```
If you save this JSON document as a temporary file, you can encode it like this:
```bash
cat json.tmp | base64 -w 0
```
## Configure Pomerium
You can now configure Pomerium with the identity provider settings retrieved in the previous steps. Your `config.yaml` keys or [environmental variables] should look something like this.
:::: tabs
::: tab config.yaml
```yaml
idp_provider: "auth0"
idp_provider_url: "https://awesome-company.auth0.com"
idp_client_id: "REPLACE_ME" # from the web application
idp_client_secret: "REPLACE_ME" # from the web application
idp_service_account: "REPLACE_ME" # built from the machine-to-machine application, base64-encoded
```
:::
::: tab Environment Variables
```bash
IDP_PROVIDER="auth0"
IDP_PROVIDER_URL="https://awesome-company.auth0.com"
IDP_CLIENT_ID="REPLACE_ME" # from the web application
IDP_CLIENT_SECRET="REPLACE_ME" # from the web application
IDP_SERVICE_ACCOUNT="REPLACE_ME" # built from the machine-to-machine application, base64-encoded
```
:::
::::
[Auth0]: https://auth0.com/
[authenticate service url]: /reference/readme.md#authenticate-service-url
[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable

158
docs/docs/identity-providers/azure.md
View file

@ -1,158 +0,0 @@
---
title: Azure AD
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: azure, active directory, ad, microsoft, identity provider, idp
---
# Azure Active Directory
This page will help you configure Pomerium to use your Azure Active Directory as an IdP. It assumes you have already [installed Pomerium](/docs/install/readme.md)
::: warning
While we do our best to keep our documentation up to date, changes to third-party systems are outside our control. Refer to [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) from Microsoft's documentation as needed, or [let us know](https://github.com/pomerium/pomerium/issues/new?assignees=&labels=&template=bug_report.md) if we need to re-visit this page.
:::
If you plan on allowing users to log in using a Microsoft Azure Active Directory account, either from your company or from external directories, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can [signup](https://azure.microsoft.com/en-us/free) for free.
You can access the Azure management portal from your Microsoft service, or visit <https://portal.azure.com> and sign in to Azure using the global administrator account used to create the Office 365 organization.
::: tip
There is no way to create an application that integrates with Microsoft Azure AD without having **your own** Microsoft Azure AD instance.
:::
If you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To find your Office 365 account's Azure AD instance:
1. [Sign in](https://portal.office.com) to Office 365.
1. Navigate to the [Office 365 Admin Center](https://portal.office.com/adminportal/home#/homepage).
1. Open the **Admin centers** menu drawer located in the left menu.
1. Click on **Azure AD**.
This will bring you to the admin center of the Azure AD instance backing your Office 365 account.
## Create a New Application
1. Login to Microsoft Azure and choose **Azure Active Directory**.
![Select Active Directory](./img/azure/azure-dashboard.png)
1. Under **Manage**, select **App registrations**.
![Select App registrations](./img/azure/azure-app-registrations.png)
Then click on the **+ New registration** button to add a new application.
1. Enter a name for the application, and set the redirect URI as `https://${authenticate_service_url}/oauth2/callback`. You can confirm your authenticate service URL from your Pomerium configuration.
![Create application form](./img/azure/azure-create-application.png)
After you register the application, note the Application (client) ID, and Directory (tenant) ID.
1. Under Client credentials, click **Add a certificate or secret**. The secret you create will be used as the **[Client Secret]** in Pomerium's configuration settings.
1. Under **Client secrets** click **+ New client secret**. Enter a name for the key and choose the desired duration.
![Creating a Key](./img/azure/azure-create-key.png)
::: tip
If you choose an expiring key, make sure to record the expiration date in your calendar, as you will need to renew the key (get a new one) before that day to ensure users don't experience a service interruption.
:::
Click on **Add** and the key will be displayed. **Make sure to copy the value of this key before leaving this screen**, otherwise you may need to create a new key.
### API Permissions
In order to retrieve group information from Active Directory, we need to enable the necessary permissions for the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/auth-v2-service#azure-ad-endpoint-considerations).
Please note, [Group ID](https://docs.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http) not group name will be used to affirm group membership.
1. From the application page, click **API permissions**. Click the **+ Add a permission** button and select **Microsoft Graph API**. Select **Application permissions**. Use the filter to select the checkboxes for **Directory.Read.All**, **Group.Read.All** and **User.Read.All**, then click **Add permissions**.
![Azure add group membership claims](./img/azure/azure-api-permissions.png)
You can also optionally select **Grant admin consent for Default Directory** which will suppress the permission screen on first login for users.
1. The most unique step to Azure AD provider, is to take note of your specific endpoint. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app.
![Application dashboard](./img/azure/azure-application-dashboard.png)
Click on **Endpoints**
![Endpoint details](./img/azure/azure-endpoints.png)
The **OpenID Connect Metadata Document** value will form the basis for Pomerium's **Provider URL** setting.
For example if the **Azure OpenID Connect** url is:
```bash
https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0/.well-known/openid-configuration`
```
**Pomerium Identity Provider URL** would be
```bash
https://login.microsoftonline.com/0303f438-3c5c-4190-9854-08d3eb31bd9f/v2.0
```
## Service Account (Optional)
::: tip
By default, this information will be inferred from your provider URL, and you should not need to set this key. If you are using a different [OAuth2] credential set, you may need to set these values separately.
:::
To use `allowed_groups` in a policy an `idp_service_account` needs to be set in the Pomerium configuration. The service account for Azure AD uses the same [client ID] and client secret configured above, as well as the directory (tenant) ID:
![Application dashboard](./img/azure/azure-application-dashboard.png)
The format of the `idp_service_account` for Azure AD is a base64-encoded JSON document:
```json
{
"client_id": "...",
"client_secret": "...",
"directory_id": "..."
}
```
## Pomerium Configuration
Configure Pomerium with the identity provider settings retrieved in the previous steps.
:::: tabs
::: tab config.yaml
```bash
idp_provider: "azure"
idp_provider_url: "https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0"
idp_client_id: "REPLACE-ME"
idp_client_secret: "REPLACE-ME"
# Optional, if service account credentials are different
# or cannot be inferred from the above credential set.
# idp_service_account: "REPLACE-ME-SEE-ABOVE"
```
:::
::: tab Environment Variables
```bash
IDP_PROVIDER="azure"
IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0"
IDP_CLIENT_ID="REPLACE-ME"
IDP_CLIENT_SECRET="REPLACE-ME"
# Optional, if service account credentials are different
# or cannot be inferred from the above credential set.
# IDP_SERVICE_ACCOUNT="REPLACE-ME-SEE-ABOVE"
```
:::
::::
## Troubleshooting
- In our testing, we found that users could be created in an Active Directory without an email address as part of their user claim. Pomerium user identity depends largely on the associated email address.
- If your default user in the Active Directory is unauthorized (403) even when specified as allowed in a policy by user, you can mitigate by creating a group membership and corresponding policy.
[client id]: /reference/readme.md#identity-provider-client-id
[client secret]: /reference/readme.md#identity-provider-client-secret
[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
[oauth2]: https://oauth.net/2/

117
docs/docs/identity-providers/cognito.md
View file

@ -1,117 +0,0 @@
---
title: Cognito
lang: en-US
# sidebarDepth: 0
meta:
- name: keywords
content: amazon, aws, cognito, openid, oidc, identity provider, idp
---
# Cognito
This document describes the use of AWS Cognito as an identity provider with Pomerium. It assumes you have already [installed Pomerium](/docs/install/readme.md)
## Setting up AWS Cognito
### Create a User Pool
1. Log in to the [AWS Console](https://console.aws.amazon.com) account. Go to **Services** on the top menu, and search for **Cognito**:
![AWS Cognito Services](./img/cognito/cognito-service.png)
1. Once you have selected **Cognito**, you will be presented with the option of **Manage User Pools** or **Manage Identity Pools**. Pick **Manage User Pools**:
![AWS Cognito User or Identity Pools](./img/cognito/cognito-pools.png)
1. The next page shows any User Pools you have already created, or the option to **Create a User Pool**:
![AWS Cognito Creating User Pool](./img/cognito/cognito-create-pool.png)
1. Give the pool a name, then choose to either **Review defaults** or **Step through settings**. It is up to you whether you choose to Review the defaults (and make some customization) or set up every setting individually.
![AWS Cognito Naming User Pool](./img/cognito/cognito-user-pool-name.png)
1. Assuming you selected **Review defaults**, you will see the following:
![AWS Cognito Pool Settings](./img/cognito/cognito-pool-settings.png)
You can enable Multi-Factor Authentication (MFA), change your Password requirements, Tag the pool, among many other settings.
::: tip
If you need to make changes after creating your pool, be aware that some settings will recreate the pool rather than update the existing pool. This will also generate new **Client IDs** and **Client Secrets**. An example would be changing _How do you want your end users to sign in?_ in **Attributes** from **Username** to **Email address or phone number**.
:::
### Create an App Client
1. Once the pool is created, create an **App Client** under **General settings**. This is where you configure the Pomerium application settings. Choose **Add an App Client**:
![AWS Cognito Create App Client](./img/cognito/cognito-app-client-create.png)
1. Once the client is created, retrieve the **Client ID**, and the **Client Secret** by clicking **Show Details**.
![AWS Cognito App Client Details](./img/cognito/cognito-app-client-details.png)
1. Go to **App client settings** (in the Side menu under **App Integration**)
![AWS Cognito Side Menu](./img/cognito/cognito-side-menu.png)
In the settings for **Pomerium** app, put in the following details
| **Field** | **Description** |
| -------------------------- | -------------------------------------------------------------------------------------------- |
| Enabled Identity Providers | Choose **Cognito User Pool**, unless you have set up another **Identity Provider** (eg SAML) |
| Callback URL(s) | https://${authenticate_service_url}/oauth2/callback |
| Allowed OAuth Flows | Authorization code grant |
| Allowed OAuth Scopes | Email, OpenID, Profile |
1. **IMPORTANT**: For OAuth2 to work correctly with AWS Cognito, you must configure a **Domain name**. This is under **App integration** in the side menu
![AWS Cognito Domain Name](./img/cognito/cognito-domain-name.png)
You can choose whether to use your own **Domain Name**, or use an AWS-provided one. The AWS-provided domain names are in the format `https://${DOMAIN-PREFIX}.auth.${AWS-REGION}.amazoncognito.com`
## Pomerium Configuration
Once you have configured AWS Cognito, configure Pomerium to connext to it:
:::: tabs
::: tab config.yaml
```yaml
idp_provider: "oidc"
idp_provider_url: "https://cognito-idp.${AWS-REGION}.amazonaws.com/${USER-POOL-ID}"
idp_client_id: "304a12ktcc5djt9d7enj6dsjkg"
idp_client_secret: "1re5ukkv3dab6up5aefv7rru65lu60oblf04t6cv8u9s0itjbci7"
idp_scopes: "openid,profile,email"
```
:::
::: tab Environment Variables
```bash
IDP_PROVIDER="oidc"
IDP_PROVIDER_URL="https://cognito-idp.${AWS-REGION}.amazonaws.com/${USER-POOL-ID}"
IDP_CLIENT_ID="304a12ktcc5djt9d7enj6dsjkg"
IDP_CLIENT_SECRET="1re5ukkv3dab6up5aefv7rru65lu60oblf04t6cv8u9s0itjbci7"
IDP_SCOPES="openid,profile,email"
```
:::
::: tab Kubernetes ConfigMap
```yaml
apiVersion: v1
data:
config.yaml: |
# Main configuration flags : https://www.pomerium.io/reference/
authenticate_service_url: https://k8s-auth-prod.example.com # The URL you have set up for the Pomerium Authentication service
authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
idp_provider: oidc
idp_provider_url: https://cognito-idp.${AWS-REGION}.amazonaws.com/${USER_POOL_ID}
idp_client_id: 304a12ktcc5djt9d7enj6dsjkg
idp_client_secret: "1re5ukkv3dab6up5aefv7rru65lu60oblf04t6cv8u9s0itjbci7"
idp_scopes: ["openid", "email", "profile"]
kind: ConfigMap
metadata:
name: pomerium-config
```
:::
::::
To retrieve the **User Pool ID**, go to **General Settings** in the Cognito Side menu within your pool. The **Pool ID** is just above the **Pool ARN**.

175
docs/docs/identity-providers/dex-freeipa.md
View file

@ -1,175 +0,0 @@
---
title: FreeIPA with Dex
description: >-
This article describes how to connect Pomerium to third-party identity
providers / single-sign-on services. You will need to generate keys, copy
these into your Pomerium settings, and enable the connection.
---
### Pomerium-Dex-Freeipa Exercise
**This exercise depicts the authentication flow for the services which don't have authentication flow**
*Flow with the diagram*
![alt text](https://github.com/dharmendrakariya/pomerium-dex/blob/main/image.jpg?raw=true)
1. User makes an unauthenticated request to the service
2. Pomerium proxy receives the request and recognizes it as anonymous
3. It redirects the user to the auth provider for authentication
4. Upon successful login, Pomerium provides an auth cookie to the user.
5. Based on the cookie, Pomerium identifies the user and checks policy to determine whether to permit access. Authorization is based on identity factors like id, email, group, role, or email domain.
6. When the cookie expires, the login flow gets triggered all over again.
*Here is our flow for accessing nextcloud service*
1. User access https://hello.YOURDOMAIN.dev
2. It will be redirected to the https://authenticate.YOURDOMAIN.dev (which is pomerium's authenticate service url)
3. Pomerium's authenticate service will redirect this to check at oidc provider( in our case DEX).
4. Dex(which is backed by FreeIpa in our case, freeipa's LDAP as backend) will check if the user is valid or not and after that flow gets redirected to pomerium back if user is valid.
5. User is finally redirected to the nextcloud service if all goes well.
Now to implement this flow we have configured static dex client ```pom``` with pomerium's authenticate service redirectURL
```Note: I am using dex helm chart and in backend freeipa as a ldap server```
```yaml
connectors:
- config:
bindDN: uid=dex,cn=sysaccounts,cn=etc,dc=YOURDOMAIN,dc=dev
bindPW: mN****tG****
host: freeipa.YOURDOMAIN.dev:636
insecureNoSSL: false
insecureSkipVerify: true
# (Group Search )
groupSearch:
baseDN: cn=groups,cn=accounts,dc=YOURDOMAIN,dc=dev
filter: "(|(objectClass=posixGroup)(objectClass=group))"
userAttr: DN # Use "DN" here not "uid"
groupAttr: member
nameAttr: cn
# (User Search)
userSearch:
baseDN: cn=users,cn=accounts,dc=YOURDOMAIN,dc=dev
emailAttr: mail
filter: ""
idAttr: uidNumber
nameAttr: displayName
preferredUsernameAttr: uid
username: mail
usernamePrompt: Email
id: ldap
name: FreeIPA/LDAP
type: ldap
issuer: http://dex.YOURDOMAIN.dev
logger:
level: debug
oauth2:
responseTypes:
- code
skipApprovalScreen: false
staticClients:
# (Here I am creating static client for pomerium)
- id: pom
name: pom
redirectURIs:
# (pomerium authenticate service url)
- https://authenticate.YOURDOMAIN.dev/oauth2/callback
secret: pomerium
```
Below is configuration which supposed to be done in Pomerium
```Note: I am using Pomerium helm chart```
```yaml
config:
# routes under this wildcard domain are handled by pomerium
rootDomain: YOURDOMAIN.dev
policy:
# (give any name instead of hello, this will be the proxy url to access the particular service)
- from: https://hello.YOURDOMAIN.dev
# (give fqdn of the actual service which is being authenticated, here I am giving nextcloud service endpoint, which is running in nextcloud namespace)
to: http://nextcloud.nextcloud.svc.cluster.local:8080
# allowed_domains:
#(in general give here your domain)
# - YOURDOMAIN.dev
# (If you want to give access to particular group members, I have tested this by creating devops group and members in that group, in freeipa)
allowed_groups:
- devops
# (If you want to give access to particular group members, I have tested this by creating devops group and members in that group, in freeipa)
allowed_idp_claims:
groups:
- devops
# (I didn't specify the root level CAs so)
insecure: true
extraEnv:
# (This will give you details if user is not able to authenticate, ideally this should be turned off)
POMERIUM_DEBUG: true
LOG_LEVEL: "error"
IDP_SCOPES: "openid,profile,email,groups,offline_access"
authenticate:
# (This we have set in dex's static client also remember! should be same)
redirectUrl: "https://authenticate.YOURDOMAIN.dev/oauth2/callback"
idp:
provider: oidc
clientID: pom
clientSecret: pomerium
# (your dex url)
url: http://dex.YOURDOMAIN.dev
scopes: "openid profile email groups offline_access"
# (for group based access policy)
serviceAccount: "pomerium-authenticate"
ingress:
enabled: true
authenticate:
name: ""
secretName: ""
secret:
name: ""
cert: ""
key: ""
tls:
hosts: []
hosts: []
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/ingress.allow-http: "true"
resources:
limits:
cpu: 150m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
```

94
docs/docs/identity-providers/github.md
View file

@ -1,94 +0,0 @@
---
title: GitHub
lang: en-US
# sidebarDepth: 0
meta:
- name: keywords
content: github, oauth2, provider, identity provider, idp
---
# GitHub
This document describes the use of GitHub as an identity provider for Pomerium. It assumes you have already [installed Pomerium](/docs/install/readme.md)
::: warning
The [GitHub API] does not support [OpenID Connect], just [OAuth 2.0].
For this reason, it was challenging to implement revocation of a user's **Access Token** (a string representing the granted permissions) when they sign out from Pomerium's user info endpoint.
:::
In addition, the teams of the organization(s) a user belongs to, will be used as groups on Pomerium.
## Create a GitHub OAuth 2.0 Application
1. Log in to [Github](https://github.com/login) or create an account.
1. Navigate to your profile using the avatar on the navigation bar, and select **Settings**:
1. Navigate to **Developer settings ➞ OAuth Apps** and select **New OAuth App**.
![GitHub OAuth2 Application creation](./img/github/github-oauth-creation.png)
1. Create a new OAuth2 application by filling the form fields above with the following parameters:
| Field | Description |
| --------------------------- | ------------------------------------------------------------------- |
| Application name | The name of your web app. |
| Homepage URL | The homepage URL of the application to be integrated with Pomerium. |
| Authorization callback URL | `https://${authenticate_service_url}/oauth2/callback`, `authenticate_service_url` from your Pomerium configuration. |
1. After creating the application, select **Generate a new client secret** and save **Client Secret** along with the **Client ID**.
## Create a Service Account
To use `allowed_groups` in a policy, an `idp_service_account` needs to be set in the Pomerium configuration. The Service Account for GitHub should be a personal access token with `read:org` permissions
1. Create a new token at [github.com/settings/tokens/new](https://github.com/settings/tokens/new).
![Personal Access Token](./img/github/github-personal-access-token.png)
1. The format of the `idp_service_account` for GitHub is a base64-encoded JSON document:
```json
{
"username": "YOUR_GITHUB_USERNAME",
"personal_access_token": "GENERATED_GITHUB_ACCESS_TOKEN"
}
```
You can save the object as a temporary file to encode:
```bash
cat tmp.json | base64 -w 0
```
## Pomerium Configuration
After creating your GitHub OAuth application, update the **Pomerium** configuration:
:::: tabs
::: tab config.yaml
```bash
idp_provider: "github"
idp_client_id: "REDACTED" // github application ID
idp_client_secret: "REDACTED" // github application secret
idp_service_account: "REDACTED" // github service account (personal access token)
```
:::
::: tab Environment Variables
```bash
IDP_PROVIDER="github"
IDP_CLIENT_ID="REDACTED" // github application ID
IDP_CLIENT_SECRET="REDACTED" // github application secret
IDP_SERVICE_ACCOUNT="REDACTED" // github service account (personal access token)
```
:::
::::
Whenever a user tries to access your application integrated with Pomerium, they will be presented with a sign-on page as below:
![GitHub Sign-on Page](./img/github/github-signon-page.png)
[Github API]: https://developer.github.com/v3/#oauth2-token-sent-in-a-header
[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect
[OAuth 2.0]: https://auth0.com/docs/protocols/oauth2

120
docs/docs/identity-providers/gitlab.md
View file

@ -1,120 +0,0 @@
---
title: GitLab
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: gitlab, oidc, openid connect, identity provider, idp
---
# GitLab
This document details how to use GitLab as an identity provider with Pomerium. It assumes you have already [installed Pomerium](/docs/install/readme.md)
::: warning
While we do our best to keep our documentation up to date, changes to third-party systems are outside our control. Refer to [GitLab as an OAuth 2.0 authentication service provider](https://docs.gitlab.com/ee/integration/oauth_provider.html) from GitLab's docs as needed, or [let us know](https://github.com/pomerium/pomerium/issues/new?assignees=&labels=&template=bug_report.md) if we need to re-visit this page.
:::
## Setting up GitLab OAuth2 for your Application
1. Log in to your GitLab account or create one [here](https://gitlab.com/users/sign_in). If you're using a self-hosted instance, log in to your custom GitLab domain.
1. From the User Settings area, select [**Applications**](https://gitlab.com/-/profile/applications). Create a new application:
![create an application](./img/gitlab/gitlab-create-applications.png)
1. Add a new application by setting the following parameters:
Field | Description
------------ | ---------------------------------------------------------------------------------
Name | The name of your web app
Redirect URI | `https://${authenticate_service_url}/oauth2/callback`
Scopes | `openid`, `profile`, `email`
Click **Save application**.
1. Your **Application ID** and **Secret** will be displayed:
![Gitlab OAuth Client ID and Secret](./img/gitlab/gitlab-credentials.png)
Note the ID and Secret to apply in Pomerium's settings.
## Service Account
To use `allowed_groups` in a policy, an `idp_service_account` needs to be set in the Pomerium configuration. The service account for Gitlab uses a personal access token generated at: [gitlab.com/-/profile/personal_access_tokens](https://gitlab.com/-/profile/personal_access_tokens) with `read_api` access:
![Gitlab Personal Access Token](./img/gitlab/gitlab-personal-access-token.png)
The format of the `idp_service_account` for Gitlab is a base64-encoded JSON document:
```json
{
"private_token": "..."
}
```
If you save this JSON document as a temporary file, you can encode it like this:
```bash
cat json.tmp | base64 -w 0
```
## Pomerium Configuration
Edit your Pomerium configuration to provide the Client ID, secret, service credentials, and domain (for self-hosted instances):
### GitLab.com
:::: tabs
::: tab config.yaml
```yaml
idp_provider: "gitlab"
idp_client_id: "REDACTED" # gitlab application ID
idp_client_secret: "REDACTED" # gitlab application secret
idp_service_account: "REDACTED" # gitlab service account, base64-encoded json
```
:::
::: tab Environment Variables
```bash
IDP_PROVIDER="gitlab"
IDP_CLIENT_ID="REDACTED" # gitlab application ID
IDP_CLIENT_SECRET="REDACTED" # gitlab application secret
IDP_SERVICE_ACCOUNT="REDACTED" # gitlab service account, base64-encoded json
```
:::
::::
### Self-Hosted GitLab
Self-hosted CE/EE instances should be configured as a generic OpenID Connect provider:
:::: tabs
::: tab config.yaml
```yaml
idp_provider: oidc
idp_client_id: "REDACTED"
idp_client_secret: "REDACTED"
idp_scopes: openid,profile,email
idp_provider_url: https://gitlab.example.com # Base URL of GitLab instance
idp_service_account: "REDACTED" # gitlab service account, base64-encoded json
```
:::
::: tab Environment Variables
```bash
IDP_PROVIDER="oidc"
IDP_CLIENT_ID="REDACTED"
IDP_CLIENT_SECRET="REDACTED"
IDP_SCOPES="openid,profile,email"
IDP_PROVIDER_URL="https://gitlab.example.com" # Base URL of GitLab instance
IDP_SERVICE_ACCOUNT="REDACTED" # gitlab service account, base64-encoded json
```
:::
::::
---
When a user first uses Pomerium to login, they are presented with an authorization screen:
![gitlab access authorization screen](./img/gitlab/gitlab-verify-access.png)
Please be aware that [Group ID](https://docs.gitlab.com/ee/api/groups.html#details-of-a-group) will be used to affirm group(s) a user belongs to.

163
docs/docs/identity-providers/google.md
View file

@ -1,163 +0,0 @@
---
title: Google
lang: en-US
sidebarDepth: 0
meta:
- name: keywords
content: google, gsuite, gmail, oidc, openid connect, workspaces, identity provider, idp
---
# Google Workspace (formerly known as G Suite)
This guide covers the basics of setting up Pomerium to use GCP and Google Workspace / G Suite as your identity provider.
::: warning
Google changes their configuration screens frequently. Please refer to Google's documentation for authoritative instructions.
- [Setting up OAuth 2.0](https://developers.google.com/identity/protocols/oauth2/openid-connect)
- [Perform Google Workspace Domain-Wide Delegation of Authority](https://developers.google.com/admin-sdk/directory/v1/guides/delegation)
:::
## Setting up OAuth 2.0
You need [OAuth 2.0 credentials](https://developers.google.com/identity/protocols/oauth2/openid-connect), including a client ID and client secret, to authenticate users.
### Create OAuth 2.0
Log in to your Google account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials).
1. Navigate to **Credentials** using the left-hand menu.
2. On the **Credentials** page, click **Create credentials** and choose **OAuth [Client ID]**.
![Create New Credentials](./img/google/google-credentials.png)
::: warning
If you don't currently have an OAuth consent page configured, Google will not allow you to create credentials until this is completed. Please follow Google's [instructions](https://developers.google.com/identity/protocols/oauth2/openid-connect#consentpageexperience) for doing so.
:::
### Set a redirect URI
The redirect URI that you set in the API Console tells Google where Pomerium's authentication callback URL is. On the **Create [Client ID]** page, select **Web application**.
To create, view, or edit the redirect URIs for a given OAuth 2.0 credential, do the following:
1. Go to the [Credentials](https://console.developers.google.com/apis/credentials) page.
2. In the OAuth 2.0 client IDs section of the page, click a credential.
3. View or edit the redirect URIs.
If there is no OAuth 2.0 client IDs section on the Credentials page, then your project has no OAuth credentials. To create one, click Create credentials.
Field | Description
------------ | ------------------------------------------------------------------------
Name | The name of your web app
Redirect URI | Redirect URL `https://${authenticate_service_url}/oauth2/callback` (e.g.`https://authenticate.localhost.pomerium.io/oauth2/callback`)
![Web App Credentials Configuration](./img/google/google-create-client-id-config.png)
## Setting up directory Sync
### Create a service account
In order to have Pomerium validate group membership, we'll also need to configure a [service account](https://console.cloud.google.com/iam-admin/serviceaccounts) with [G-suite domain-wide delegation](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) enabled.
1. Open the [**Service accounts** page](https://console.developers.google.com/iam-admin/serviceaccounts). If prompted, select a project.
2. Click add **Create Service Account**, enter a name and description for the service account. You can use the default service account ID, or choose a different, unique one. When done click **Create**.
3. The **Service account permissions (optional)** section that follows is not required. Click **Continue**.
4. On the **Grant users access to this service account** screen, scroll down to the **Create key** section. Click add **Create key**.
5. In the side panel that appears, select the format for your key: **JSON**.
6. Click **Create**. Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. For information on how to store it securely, see [Managing service account keys](https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys).
7. Click **Close** on the **Private key saved to your computer** dialog, then click **Done** to return to the table of your service accounts.
Next, we need to enable enable G Suite domain-wide delegation, follow these steps:
1. Locate the newly-created service account in the table. Under **Actions**, click **Edit**.
2. In the service account details, click expand_more **Show domain-wide delegation**, then ensure the **Enable G Suite Domain-wide Delegation** checkbox is checked.
3. If you haven't yet configured your app's OAuth consent screen, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to [configure the OAuth consent screen](https://support.google.com/cloud/answer/10311615?hl=en&ref_topic=3473162#), then repeat the above steps and re-check the checkbox.
4. Click **Save** to update the service account, and return to the table of service accounts. A new column, **Domain-wide delegation**, can be seen. Click **View Client ID**, to obtain and make a note of the client ID.
### Set the impersonating user
Then, you'll need to manually open an editor and add an `impersonate_user` field to the downloaded public/private key file. In this case, we'd be impersonating the admin account `user@pomerium.io`.
::: warning
[Google requires](https://stackoverflow.com/questions/48585700/is-it-possible-to-call-apis-from-service-account-without-acting-on-behalf-of-a-u/48601364#48601364) that service accounts act on behalf of another user. You MUST add the `impersonate_user` field to your json key file.
:::
```git
{
"type": "service_account",
"project_id": "pomerium-redacted",
"private_key_id": "e07f7c93870c7e03f883560ecd8fd0f4d27b0081",
"private_key": "-----BEGIN PRIVATE KEY-----\\n-----END PRIVATE KEY-----\n",
"client_email": "redacted@pomerium-redacted.iam.gserviceaccount.com",
"client_id": "101215990458000334387",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted%40pomerium-redacted.iam.gserviceaccount.com",
+ "impersonate_user": "user@pomerium.com"
}
```
The base64 encoded contents of this public/private key pair json file will used for the value of the IdP [service account] configuration setting.
### Set directory permissions for Workspaces
Next, we need to give that service account permissionson the GSuite / Workspace side of the house.
1. From your Google Workspace domain's [Admin console](http://admin.google.com/), go to **Main menu** > **Security** > **API controls**.
2. In the **Domain wide delegation** pane, select **Manage Domain Wide Delegation**.
3. Click **Add new**.
4. In the **Client ID** field, enter the client ID obtained from the service account creation steps above.
5. In the **OAuth Scopes** field, enter a comma-delimited list of the scopes required for your application (for a list of possible scopes, see [Authorize requests](https://developers.google.com/admin-sdk/directory/v1/guides/authorizing)).
6. Enter the following list of scopes: `https://www.googleapis.com/auth/admin.directory.group.readonly` `https://www.googleapis.com/auth/admin.directory.user.readonly`
7. Click the **Authorize** button.
![Google create service account](./img/google/google-gsuite-add-scopes.png)
Your `config.yaml` values or [environment variables] should look something like this:
::::: tabs
:::: tab config.yaml
```yaml
idp-provider: "google"
idp-client-id: "yyyy.apps.googleusercontent.com"
idp-client-secret: "xxxxxx"
idp-service-account: "zzzz" # output of `base64 -i service-account-key.json`, with impersonate_user set.
```
::::
:::: tab Environment Variables
```bash
IDP_PROVIDER="google"
IDP_CLIENT_ID="yyyy.apps.googleusercontent.com"
IDP_CLIENT_SECRET="xxxxxx"
IDP_SERVICE_ACCOUNT="zzzz" # output of `base64 -i service-account-key.json`, with impersonate_user set.
```
::::
:::::
## Troubleshooting
### `invalid service account for Google directory provider`
This error message in Pomerium log output coincides with an empty **Groups** field in the `/.pomerium` endpoint. It indicates that your [service account](#create-a-service-account) is missing or incorrectly configured. Revisit the linked section above to adjust your service account settings as needed.
[client id]: ../../reference/readme.md#identity-provider-client-id
[client secret]: ../../reference/readme.md#identity-provider-client-secret
[environment variables]: https://en.wikipedia.org/wiki/Environment_variable
[oauth2]: https://oauth.net/2/
[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect
[service account]: ../../reference/readme.md#identity-provider-service-account

BIN
docs/docs/identity-providers/img/auth0/create-m2m.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 192 KiB

BIN
docs/docs/identity-providers/img/auth0/create.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 191 KiB

BIN
docs/docs/identity-providers/img/auth0/dashboard.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 57 KiB

BIN
docs/docs/identity-providers/img/auth0/m2m-scopes.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 71 KiB

BIN
docs/docs/identity-providers/img/azure/azure-api-permissions.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
docs/docs/identity-providers/img/azure/azure-api-settings.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 331 KiB

BIN
docs/docs/identity-providers/img/azure/azure-app-registrations.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 68 KiB

BIN
docs/docs/identity-providers/img/azure/azure-application-dashboard.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 404 KiB

BIN
docs/docs/identity-providers/img/azure/azure-create-application.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 61 KiB

BIN
docs/docs/identity-providers/img/azure/azure-create-key.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 97 KiB

BIN
docs/docs/identity-providers/img/azure/azure-dashboard.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 70 KiB

BIN
docs/docs/identity-providers/img/azure/azure-endpoints.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 466 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-app-client-create.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 156 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-app-client-details.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-create-pool.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.2 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-domain-name.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-pool-settings.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-pools.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-service.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 38 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-side-menu.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 11 KiB

BIN
docs/docs/identity-providers/img/cognito/cognito-user-pool-name.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
docs/docs/identity-providers/img/github/github-oauth-creation.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 98 KiB

BIN
docs/docs/identity-providers/img/github/github-personal-access-token.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 126 KiB

BIN
docs/docs/identity-providers/img/github/github-signon-page.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 134 KiB

BIN
docs/docs/identity-providers/img/gitlab/gitlab-create-applications.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 68 KiB

BIN
docs/docs/identity-providers/img/gitlab/gitlab-credentials.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
docs/docs/identity-providers/img/gitlab/gitlab-personal-access-token.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 124 KiB

BIN
docs/docs/identity-providers/img/gitlab/gitlab-verify-access.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 49 KiB

BIN
docs/docs/identity-providers/img/google/google-create-client-id-config.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 411 KiB

BIN
docs/docs/identity-providers/img/google/google-credentials.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 68 KiB

BIN
docs/docs/identity-providers/img/google/google-gsuite-add-scopes.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 356 KiB

BIN
docs/docs/identity-providers/img/okta/okta-api-token.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
docs/docs/identity-providers/img/okta/okta-app-dashboard.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
docs/docs/identity-providers/img/okta/okta-app-settings.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 29 KiB

BIN
docs/docs/identity-providers/img/okta/okta-authorization-servers.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 183 KiB

BIN
docs/docs/identity-providers/img/okta/okta-client-id-and-secret.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
docs/docs/identity-providers/img/okta/okta-create-app-settings.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 40 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-add-app.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-add-open-id.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-api-access.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-app-access.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 34 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-callback-url.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 47 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-events.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-select-logo.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
docs/docs/identity-providers/img/onelogin/one-login-sso-settings.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
docs/docs/identity-providers/img/ping/ping-add-application.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 130 KiB

BIN
docs/docs/identity-providers/img/ping/ping-add-worker.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 133 KiB

BIN
docs/docs/identity-providers/img/ping/ping-app-grants.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 88 KiB

BIN
docs/docs/identity-providers/img/ping/ping-app-profile.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 50 KiB

Some files were not shown because too many files have changed in this diff Show more