aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiall Sheridan <nsheridan@gmail.com>2016-04-22 23:06:44 +0100
committerNiall Sheridan <nsheridan@gmail.com>2016-04-22 23:16:11 +0100
commita1b903b22178c01e64ec2ef6d08aac3576b5f5ac (patch)
treee65f479ba2c736f4eb03cd63b0cf09944abbae67
parentbd1e6a57fe354ccfe51d295fec3c06a1c878c3f7 (diff)
Update auth provider notes.
-rw-r--r--README.md26
1 files changed, 26 insertions, 0 deletions
diff --git a/README.md b/README.md
index 2ba0b72..17c8d35 100644
--- a/README.md
+++ b/README.md
@@ -60,9 +60,35 @@ Configuration is divided into three sections: `server`, `auth`, and `ssh`.
- `oauth_client_id` : string. Oauth Client ID.
- `oauth_client_secret` : string. Oauth secret.
- `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
+
- `provider_opts` : object. Additional options for the provider.
- `provider_opts: { domain }` : string. Applies to "google" provider. Only allow users from this Google Apps domain. This is optional but leaving it unset will allow anyone with a Google account to obtain ssh certificates so don't do that.
+#### Provider-specific options
+
+Oauth providers can support provider-specific options - e.g. to ensure organization membership.
+Options are set in the `provider_opts` hash.
+
+Example:
+
+```
+"auth": {
+ "provider": "google",
+ "provider_opts" : {
+ "domain": "example.com",
+ "organization": ""
+ }
+}
+```
+
+| Provider | Option | Notes | | |
+|---------:|-------------:|----------------------------------------------------------------------------------------------------------------------------------------|---|---|
+| Google | domain | If this is unset then any gmail user can obtain a token. | | |
+| Github | organization | If this is unset then any GitHub user can obtain a token. The oauth client and secrets should be issued by the specified organization. | | |
+| | | | | |
+
+Supported options:
+
### ssh
- `signing_key`: string. Path to the signing ssh private key you created earlier.
- `additional_principals`: array of string. By default certificates will have one principal set - the username portion of the requester's email address. If `additional_principals` is set, these will be added to the certificate e.g. if your production machines use shared user accounts.