3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: update GitHub documentation for service account (#967)

Browse source 
* docs: update GitHub documentation for service account

* add read:org permission
This commit is contained in:
Caleb Doxsey 2020-06-22 12:36:07 -06:00 committed by GitHub
parent 8362f18355
commit f11c5ba172
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

18
docs/docs/identity-providers/github.md
View file

@ -12,7 +12,7 @@ meta:
This document describes the use of GitHub as an identity provider for Pomerium. This document describes the use of GitHub as an identity provider for Pomerium.
Before we proceed, please be aware that [GitHub API] does not support [OpenID Connect], just [OAuth 2.0]. Before we proceed, please be aware that [GitHub API] does not support [OpenID Connect], just [OAuth 2.0].
For this reason, it was challenging to implement revocation of a user's **Access Token** (a string representing the granted permissions) when they sign out from Pomerium's dashboard. For this reason, it was challenging to implement revocation of a user's **Access Token** (a string representing the granted permissions) when they sign out from Pomerium's dashboard.
In addition, the teams of the organization(s) a user belongs to, will be used as groups on Pomerium. In addition, the teams of the organization(s) a user belongs to, will be used as groups on Pomerium.
@ -22,7 +22,7 @@ In addition, the teams of the organization(s) a user belongs to, will be used as
2. Navigate to your profile using the avatar on the navigation bar. 2. Navigate to your profile using the avatar on the navigation bar.
3. Go to your settings. 3. Go to your settings.
![GitHub settings](./img/github/github-user-profile.png) ![GitHub settings](./img/github/github-user-profile.png)
@ -41,6 +41,19 @@ Authorization callback URL | `https://${authenticate_service_url}/oauth2/callba
After the application had been created, you will have access to the credentials, the **Client ID** and **Client Secret**. After the application had been created, you will have access to the credentials, the **Client ID** and **Client Secret**.
## Service Account
To use `allowed_groups` in a policy an `idp_service_account` needs to be set in the Pomerium configuration. The Service Account for GitHub should be a personal access token with `read:org` permissions, which can be created at [github.com/settings/tokens/new](https://github.com/settings/tokens/new).
![Personal Access Token](./img/github/github-personal-access-token.png)
The format of the `idp_service_account` for GitHub is a base64-encoded JSON document:
```json
{
"username": "YOUR_GITHUB_USERNAME",
"personal_access_token": "GENERATED_GITHUB_ACCESS_TOKEN"
}
```
## Pomerium Configuration ## Pomerium Configuration
@ -51,6 +64,7 @@ authenticate_service_url: https://authenticate.localhost.pomerium.io
idp_provider: "github" idp_provider: "github"
idp_client_id: "REDACTED" // github application ID idp_client_id: "REDACTED" // github application ID
idp_client_secret: "REDACTED" // github application secret idp_client_secret: "REDACTED" // github application secret
idp_service_account: "REDACTED" // github service account (personal access token)
``` ```
Whenever a user tries to access your application integrated with Pomerium, they will be presented with a sign-on page as below: Whenever a user tries to access your application integrated with Pomerium, they will be presented with a sign-on page as below:

BIN
docs/docs/identity-providers/img/github/github-personal-access-token.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 215 KiB