From a2312c349788e134bd181d7e44a9256d1b82f33d Mon Sep 17 00:00:00 2001 From: Cam Date: Mon, 11 Sep 2023 09:30:52 -0500 Subject: [PATCH] formatting imports and adding oauth small guide --- cmd/zrok/sharePublic.go | 11 +++++------ docs/guides/oauth/oauth_guide.md | 30 ++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 docs/guides/oauth/oauth_guide.md diff --git a/cmd/zrok/sharePublic.go b/cmd/zrok/sharePublic.go index a8adaeb2..fc899a25 100644 --- a/cmd/zrok/sharePublic.go +++ b/cmd/zrok/sharePublic.go @@ -2,12 +2,6 @@ package main import ( "fmt" - "os" - "os/signal" - "strings" - "syscall" - "time" - tea "github.com/charmbracelet/bubbletea" "github.com/openziti/zrok/endpoints" "github.com/openziti/zrok/endpoints/proxy" @@ -17,6 +11,11 @@ import ( "github.com/openziti/zrok/tui" "github.com/sirupsen/logrus" "github.com/spf13/cobra" + "os" + "os/signal" + "strings" + "syscall" + "time" ) func init() { diff --git a/docs/guides/oauth/oauth_guide.md b/docs/guides/oauth/oauth_guide.md new file mode 100644 index 00000000..b6a8cd23 --- /dev/null +++ b/docs/guides/oauth/oauth_guide.md @@ -0,0 +1,30 @@ +## Enabling Oauth on Access Point + +There is a new stanza in the access point configuration. + +```yaml +oauth: + port: #port to listen on oauth callbacks from + redirect_url: #redirect url to feed into oauth flow + hash_key_raw: "" #key we will use to sign our access token + providers: #which providers we configure to use. + - name: + client_id: #the client id you get from your oauth provider + client_secret: #the client secret you get from your oauth provider +``` +Currently we support the following Oauth providers: +- google +- github + +We spin up a zitadel oidc server on the specified port that handled all of the oauth handshaking. With the response we create a cookie with the name `zrok-access`. + +## Enabling Oath on Share + +To utilize the oauth integration on the access point we need to add a few more flags to our share command. There are three new flags: +- `provider` : This is the provider to authenticate against. Options are the same as above dependant on what the acess point is configured for +- `oauth-domains` : A list of valid email domains that are allowed to access the service. for example `gmail.com` +- `oauth-check-interval` : How long a `zrok-access` token is valid for before reinitializing the oauth flow. This is defaultly 3 hours. + +That's all it takes! + +Now when a user connects to your share they will be prompted with the chosen oauth provider and allowed based on your allowed domains. Simply restarting the service won't force a reauth for users either. Changing the `provider` or `oauth-check-interval` will, however. \ No newline at end of file