mirror of
https://github.com/openziti/zrok.git
synced 2024-11-26 10:04:16 +01:00
Merge pull request #572 from openziti/adopt-email-patterns
adopt oauth email glob patterns
This commit is contained in:
commit
362a0faf5f
@ -8,6 +8,8 @@ CHANGE: Enhancements to the look and feel of the account actions tab in the web
|
||||
|
||||
FIX: The regenerate account token dialog incorrectly specified the path `${HOME}/.zrok/environments.yml`. This, was corrected to be `${HOME}/.zrok/environments.json`.
|
||||
|
||||
FIX: align zrok frontdoor examples and Linux package (`zrok-share`) with the new OAuth email flag `--oauth-email-address-patterns` introduced in v0.4.25.
|
||||
|
||||
## v0.4.25
|
||||
|
||||
FEATURE: New action in the web console that allows changing the password of the logged-in account (https://github.com/openziti/zrok/issues/148)
|
||||
|
@ -43,7 +43,7 @@ services:
|
||||
ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode
|
||||
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
||||
ZROK_OAUTH_PROVIDER: # google, github
|
||||
ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email addresses or @domain.tld
|
||||
ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns
|
||||
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
|
||||
|
||||
# least relevant options
|
||||
|
@ -44,7 +44,7 @@ services:
|
||||
ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
|
||||
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
||||
ZROK_OAUTH_PROVIDER: # google, github
|
||||
ZROK_OAUTH_EMAILS: # space-separated list of OAuth email addresses or @domain.tld to allow
|
||||
ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns
|
||||
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
|
||||
|
||||
# least relevant options
|
||||
|
@ -72,7 +72,7 @@ features in [this blog post](https://blog.openziti.io/the-zrok-oauth-public-fron
|
||||
|
||||
```bash title=".env"
|
||||
ZROK_OAUTH_PROVIDER="github"
|
||||
ZROK_SHARE_OPTS="--oauth-email-domains @example.com"
|
||||
ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
|
||||
```
|
||||
|
||||
## Caddy is Powerful
|
||||
|
@ -157,7 +157,7 @@ You can require that visitors authenticate with an email address that matches at
|
||||
|
||||
```bash title="/opt/openziti/etc/zrok/zrok-share.env"
|
||||
ZROK_OAUTH_PROVIDER="github" # or google
|
||||
ZROK_OAUTH_EMAILS="bob@example.com @acme.example.com"
|
||||
ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
|
||||
```
|
||||
|
||||
### Password
|
||||
|
@ -121,21 +121,22 @@ Both the `google` and `github` providers accept a `client_id` and `client_secret
|
||||
With your public frontend configured to support OAuth, you can test this by creating a public share. There are new command line options to support this:
|
||||
|
||||
```text
|
||||
$ zrok share public
|
||||
Error: accepts 1 arg(s), received 0
|
||||
$ zrok share public --help
|
||||
Share a target resource publicly
|
||||
|
||||
Usage:
|
||||
zrok share public <target> [flags]
|
||||
|
||||
Flags:
|
||||
-b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy")
|
||||
--basic-auth stringArray Basic authentication users (<username:password>,...)
|
||||
--frontends stringArray Selected frontends to use for the share (default [public])
|
||||
--headless Disable TUI and run headless
|
||||
-h, --help help for public
|
||||
--insecure Enable insecure TLS certificate validation for <target>
|
||||
--oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s)
|
||||
--oauth-email-domains stringArray Allow only these email domains to authenticate via OAuth
|
||||
--oauth-provider string Enable OAuth provider [google, github]
|
||||
-b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy")
|
||||
--basic-auth stringArray Basic authentication users (<username:password>,...)
|
||||
--frontends stringArray Selected frontends to use for the share (default [public])
|
||||
--headless Disable TUI and run headless
|
||||
-h, --help help for public
|
||||
--insecure Enable insecure TLS certificate validation for <target>
|
||||
--oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s)
|
||||
--oauth-email-address-patterns stringArray Allow only these email domain globs to authenticate via OAuth
|
||||
--oauth-provider string Enable OAuth provider [google, github]
|
||||
|
||||
Global Flags:
|
||||
-p, --panic Panic instead of showing pretty errors
|
||||
@ -144,12 +145,12 @@ Global Flags:
|
||||
|
||||
The `--oauth-provider` flag enables OAuth for the share using the specified provider.
|
||||
|
||||
The `--oauth-email-domains` flag accepts a comma-separated list of authenticated email address domains that are allowed to access the share.
|
||||
The `--oauth-email-address-patterns` flag accepts a single glob pattern that matches an authenticated email address that is allowed to access the share. Use this flag multiple times to allow different patterns.
|
||||
|
||||
The `--oauth-check-interval` flag specifies how frequently the authentication must be checked.
|
||||
|
||||
An example public share:
|
||||
|
||||
```text
|
||||
zrok share public --backend-mode web --oauth-provider github --oauth-email-domains zrok.io ~/public
|
||||
zrok share public --backend-mode web --oauth-provider github --oauth-email-address-patterns '*@zrok.io' ~/public
|
||||
```
|
||||
|
@ -133,7 +133,7 @@ if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
|
||||
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
|
||||
if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
|
||||
for EMAIL in ${ZROK_OAUTH_EMAILS}; do
|
||||
ZROK_CMD+=" --oauth-email-domains ${EMAIL}"
|
||||
ZROK_CMD+=" --oauth-email-address-patterns '${EMAIL}'"
|
||||
done
|
||||
fi
|
||||
elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then
|
||||
|
@ -76,7 +76,7 @@ ZROK_SHARE_OPTS=""
|
||||
|
||||
# you MAY restrict access to one or more email addresses or domains; must be a space-separate list
|
||||
# WARNING: changes take effect the next time the frontend URL is reserved
|
||||
#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com"
|
||||
#ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
|
||||
|
||||
# you MAY require a password with HTTP basic authentication
|
||||
# WARNING: changes take effect the next time the frontend URL is reserved
|
||||
|
Loading…
Reference in New Issue
Block a user