Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
D
dex
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
go
dex
Commits
d0991459
Commit
d0991459
authored
Oct 26, 2017
by
Eric Chiang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
authproxy: update docs and set a userID
parent
751c565e
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
44 additions
and
6 deletions
+44
-6
authproxy.md
Documentation/authproxy.md
+43
-6
authproxy.go
connector/authproxy/authproxy.go
+1
-0
No files found.
Documentation/authproxy.md
View file @
d0991459
# External authentication
# Authenticating proxy
NOTE: This connector is experimental and may change in the future.
## Overview
## Overview
The authproxy connector returns identities based on authentication which your
The
`authproxy`
connector returns identities based on authentication which your
front-end web server performs.
front-end web server performs. Dex consumes the
`X-Remote-User`
header set by
the proxy, which is then used as the user's email address.
__
The proxy MUST remove any
`X-Remote-*`
headers set by the client, for any URL
path, before the request is forwarded to dex.__
The connector does not support refresh tokens or groups
at this point
.
The connector does not support refresh tokens or groups.
## Configuration
## Configuration
The
`authproxy`
connector is used by proxies to implement login strategies not
supported by dex. For example, a proxy could handle a different OAuth2 strategy
such as Slack. The connector takes no configuration other than a
`name`
and
`id`
:
```
yaml
connectors
:
# Slack login implemented by an authenticating proxy, not by dex.
-
type
:
authproxy
id
:
slack
name
:
Slack
```
The proxy only needs to authenticate the user when they attempt to visit the
callback URL path:
```
( dex issuer URL )/callback/( connector id )?( url query )
```
For example, if dex is running at
`https://auth.example.com/dex`
and the connector
ID is
`slack`
, the callback URL would look like:
```
https://auth.example.com/dex/callback/slack?state=xdg3z6quhrhwaueo5iysvliqf
```
The proxy should login the user then return them to the exact URL (inlucing the
query), setting
`X-Remote-User`
to the user's email before proxying the request
to dex.
## Configuration example - Apache 2
The following is an example config file that can be used by the external
The following is an example config file that can be used by the external
connector to authenticate a user.
connector to authenticate a user.
...
@@ -84,4 +122,4 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
...
@@ -84,4 +122,4 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
</VirtualHost>
</VirtualHost>
```
```
Then, enable it using
`a2ensite sso.conf`
, followed by a restart of Apache2.
Then, enable it using
`a2ensite sso.conf`
, followed by a restart of Apache2.
\ No newline at end of file
connector/authproxy/authproxy.go
View file @
d0991459
...
@@ -50,6 +50,7 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto
...
@@ -50,6 +50,7 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto
// TODO: add support for X-Remote-Group, see
// TODO: add support for X-Remote-Group, see
// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
return
connector
.
Identity
{
return
connector
.
Identity
{
UserID
:
remoteUser
,
// TODO: figure out if this is a bad ID value.
Email
:
remoteUser
,
Email
:
remoteUser
,
EmailVerified
:
true
,
EmailVerified
:
true
,
},
nil
},
nil
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment