From a1b903b22178c01e64ec2ef6d08aac3576b5f5ac Mon Sep 17 00:00:00 2001 From: Niall Sheridan Date: Fri, 22 Apr 2016 23:06:44 +0100 Subject: Update auth provider notes. --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.md b/README.md index 2ba0b72..17c8d35 100644 --- a/README.md +++ b/README.md @@ -60,9 +60,35 @@ Configuration is divided into three sections: `server`, `auth`, and `ssh`. - `oauth_client_id` : string. Oauth Client ID. - `oauth_client_secret` : string. Oauth secret. - `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source. + - `provider_opts` : object. Additional options for the provider. - `provider_opts: { domain }` : string. Applies to "google" provider. Only allow users from this Google Apps domain. This is optional but leaving it unset will allow anyone with a Google account to obtain ssh certificates so don't do that. +#### Provider-specific options + +Oauth providers can support provider-specific options - e.g. to ensure organization membership. +Options are set in the `provider_opts` hash. + +Example: + +``` +"auth": { + "provider": "google", + "provider_opts" : { + "domain": "example.com", + "organization": "" + } +} +``` + +| Provider | Option | Notes | | | +|---------:|-------------:|----------------------------------------------------------------------------------------------------------------------------------------|---|---| +| Google | domain | If this is unset then any gmail user can obtain a token. | | | +| Github | organization | If this is unset then any GitHub user can obtain a token. The oauth client and secrets should be issued by the specified organization. | | | +| | | | | | + +Supported options: + ### ssh - `signing_key`: string. Path to the signing ssh private key you created earlier. - `additional_principals`: array of string. By default certificates will have one principal set - the username portion of the requester's email address. If `additional_principals` is set, these will be added to the certificate e.g. if your production machines use shared user accounts. -- cgit v1.2.3