Update auth provider notes.

1 files changed, 26 insertions, 0 deletions

diff --git a/README.md b/README.md
index 2ba0b72..17c8d35 100644
--- a/README.md
+++ b/README.md
@@ -60,9 +60,35 @@ Configuration is divided into three sections: `server`, `auth`, and `ssh`.
 - `oauth_client_id` : string. Oauth Client ID.
 - `oauth_client_secret` : string. Oauth secret.
 - `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
+
 - `provider_opts` : object. Additional options for the provider.
 - `provider_opts: { domain }` : string. Applies to "google" provider. Only allow users from this Google Apps domain. This is optional but leaving it unset will allow anyone with a Google account to obtain ssh certificates so don't do that.
 
+#### Provider-specific options
+
+Oauth providers can support provider-specific options - e.g. to ensure organization membership.
+Options are set in the `provider_opts` hash.
+
+Example:
+
+```
+"auth": {
+  "provider": "google",
+  "provider_opts" : {
+    "domain": "example.com",
+    "organization": ""
+  }
+}
+```
+
+| Provider |       Option | Notes                                                                                                                                  |   |   |
+|---------:|-------------:|----------------------------------------------------------------------------------------------------------------------------------------|---|---|
+| Google   |       domain | If this is unset then any gmail user can obtain a token.                                                                               |   |   |
+| Github   | organization | If this is unset then any GitHub user can obtain a token. The oauth client and secrets should be issued by the specified organization. |   |   |
+|          |              |                                                                                                                                        |   |   |
+
+Supported options:
+
 ### ssh
 - `signing_key`: string. Path to the signing ssh private key you created earlier.
 - `additional_principals`: array of string. By default certificates will have one principal set - the username portion of the requester's email address. If `additional_principals` is set, these will be added to the certificate e.g. if your production machines use shared user accounts.