mirror of
https://github.com/openziti/zrok.git
synced 2024-11-26 10:04:16 +01:00
Merge pull request #572 from openziti/adopt-email-patterns
adopt oauth email glob patterns
This commit is contained in:
commit
362a0faf5f
@ -8,6 +8,8 @@ CHANGE: Enhancements to the look and feel of the account actions tab in the web
|
|||||||
|
|
||||||
FIX: The regenerate account token dialog incorrectly specified the path `${HOME}/.zrok/environments.yml`. This, was corrected to be `${HOME}/.zrok/environments.json`.
|
FIX: The regenerate account token dialog incorrectly specified the path `${HOME}/.zrok/environments.yml`. This, was corrected to be `${HOME}/.zrok/environments.json`.
|
||||||
|
|
||||||
|
FIX: align zrok frontdoor examples and Linux package (`zrok-share`) with the new OAuth email flag `--oauth-email-address-patterns` introduced in v0.4.25.
|
||||||
|
|
||||||
## v0.4.25
|
## v0.4.25
|
||||||
|
|
||||||
FEATURE: New action in the web console that allows changing the password of the logged-in account (https://github.com/openziti/zrok/issues/148)
|
FEATURE: New action in the web console that allows changing the password of the logged-in account (https://github.com/openziti/zrok/issues/148)
|
||||||
|
@ -43,7 +43,7 @@ services:
|
|||||||
ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode
|
ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode
|
||||||
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
||||||
ZROK_OAUTH_PROVIDER: # google, github
|
ZROK_OAUTH_PROVIDER: # google, github
|
||||||
ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email addresses or @domain.tld
|
ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns
|
||||||
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
|
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
|
||||||
|
|
||||||
# least relevant options
|
# least relevant options
|
||||||
|
@ -44,7 +44,7 @@ services:
|
|||||||
ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
|
ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
|
||||||
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
||||||
ZROK_OAUTH_PROVIDER: # google, github
|
ZROK_OAUTH_PROVIDER: # google, github
|
||||||
ZROK_OAUTH_EMAILS: # space-separated list of OAuth email addresses or @domain.tld to allow
|
ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns
|
||||||
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
|
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
|
||||||
|
|
||||||
# least relevant options
|
# least relevant options
|
||||||
|
@ -72,7 +72,7 @@ features in [this blog post](https://blog.openziti.io/the-zrok-oauth-public-fron
|
|||||||
|
|
||||||
```bash title=".env"
|
```bash title=".env"
|
||||||
ZROK_OAUTH_PROVIDER="github"
|
ZROK_OAUTH_PROVIDER="github"
|
||||||
ZROK_SHARE_OPTS="--oauth-email-domains @example.com"
|
ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
|
||||||
```
|
```
|
||||||
|
|
||||||
## Caddy is Powerful
|
## Caddy is Powerful
|
||||||
|
@ -157,7 +157,7 @@ You can require that visitors authenticate with an email address that matches at
|
|||||||
|
|
||||||
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
|
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
|
||||||
ZROK_OAUTH_PROVIDER="github" # or google
|
ZROK_OAUTH_PROVIDER="github" # or google
|
||||||
ZROK_OAUTH_EMAILS="bob@example.com @acme.example.com"
|
ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Password
|
### Password
|
||||||
|
@ -121,21 +121,22 @@ Both the `google` and `github` providers accept a `client_id` and `client_secret
|
|||||||
With your public frontend configured to support OAuth, you can test this by creating a public share. There are new command line options to support this:
|
With your public frontend configured to support OAuth, you can test this by creating a public share. There are new command line options to support this:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
$ zrok share public
|
$ zrok share public --help
|
||||||
Error: accepts 1 arg(s), received 0
|
Share a target resource publicly
|
||||||
|
|
||||||
Usage:
|
Usage:
|
||||||
zrok share public <target> [flags]
|
zrok share public <target> [flags]
|
||||||
|
|
||||||
Flags:
|
Flags:
|
||||||
-b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy")
|
-b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy")
|
||||||
--basic-auth stringArray Basic authentication users (<username:password>,...)
|
--basic-auth stringArray Basic authentication users (<username:password>,...)
|
||||||
--frontends stringArray Selected frontends to use for the share (default [public])
|
--frontends stringArray Selected frontends to use for the share (default [public])
|
||||||
--headless Disable TUI and run headless
|
--headless Disable TUI and run headless
|
||||||
-h, --help help for public
|
-h, --help help for public
|
||||||
--insecure Enable insecure TLS certificate validation for <target>
|
--insecure Enable insecure TLS certificate validation for <target>
|
||||||
--oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s)
|
--oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s)
|
||||||
--oauth-email-domains stringArray Allow only these email domains to authenticate via OAuth
|
--oauth-email-address-patterns stringArray Allow only these email domain globs to authenticate via OAuth
|
||||||
--oauth-provider string Enable OAuth provider [google, github]
|
--oauth-provider string Enable OAuth provider [google, github]
|
||||||
|
|
||||||
Global Flags:
|
Global Flags:
|
||||||
-p, --panic Panic instead of showing pretty errors
|
-p, --panic Panic instead of showing pretty errors
|
||||||
@ -144,12 +145,12 @@ Global Flags:
|
|||||||
|
|
||||||
The `--oauth-provider` flag enables OAuth for the share using the specified provider.
|
The `--oauth-provider` flag enables OAuth for the share using the specified provider.
|
||||||
|
|
||||||
The `--oauth-email-domains` flag accepts a comma-separated list of authenticated email address domains that are allowed to access the share.
|
The `--oauth-email-address-patterns` flag accepts a single glob pattern that matches an authenticated email address that is allowed to access the share. Use this flag multiple times to allow different patterns.
|
||||||
|
|
||||||
The `--oauth-check-interval` flag specifies how frequently the authentication must be checked.
|
The `--oauth-check-interval` flag specifies how frequently the authentication must be checked.
|
||||||
|
|
||||||
An example public share:
|
An example public share:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
zrok share public --backend-mode web --oauth-provider github --oauth-email-domains zrok.io ~/public
|
zrok share public --backend-mode web --oauth-provider github --oauth-email-address-patterns '*@zrok.io' ~/public
|
||||||
```
|
```
|
||||||
|
@ -133,7 +133,7 @@ if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
|
|||||||
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
||||||
if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
|
if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
|
||||||
for EMAIL in ${ZROK_OAUTH_EMAILS}; do
|
for EMAIL in ${ZROK_OAUTH_EMAILS}; do
|
||||||
ZROK_CMD+=" --oauth-email-domains ${EMAIL}"
|
ZROK_CMD+=" --oauth-email-address-patterns '${EMAIL}'"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then
|
elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then
|
||||||
|
@ -76,7 +76,7 @@ ZROK_SHARE_OPTS=""
|
|||||||
|
|
||||||
# you MAY restrict access to one or more email addresses or domains; must be a space-separate list
|
# you MAY restrict access to one or more email addresses or domains; must be a space-separate list
|
||||||
# WARNING: changes take effect the next time the frontend URL is reserved
|
# WARNING: changes take effect the next time the frontend URL is reserved
|
||||||
#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com"
|
#ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
|
||||||
|
|
||||||
# you MAY require a password with HTTP basic authentication
|
# you MAY require a password with HTTP basic authentication
|
||||||
# WARNING: changes take effect the next time the frontend URL is reserved
|
# WARNING: changes take effect the next time the frontend URL is reserved
|
||||||
|
Loading…
Reference in New Issue
Block a user