Comments (1)
Hey,
Thanks for reaching out. Yeah, this is something that isn't documented. I'm happy to accept any PRs to improve docs per provider basis. Right now I don't have a production setup using the OIDC auth mechanism.
However, previously I have used Google and Microsoft ADFS successfully.
Here is an example configuration for google:
authoidc:
name: google
realm: my google auth
timeout: 15
clientID: REDACTED.apps.googleusercontent.com
clientSecret: REDACTED
authFlowTimeout: 240
maxPendingAuthAttempts: 1000
scopes:
- openid
- email
- profile
redirectURL: https://localhost:8540/v1/auth_callback/google
providerURL: https://accounts.google.com
valueMappings:
subjectNameField: name
subjectNameTemplate: '{{.}}'
principalsField: email
principalTemplate: '{{.}}'
principals: []
criticalOptions: {}
extensions:
permit-pty: ""
permit-user-rc: ""
permit-agent-forwarding: ""
permit-X11-forwarding: ""
So your question was about redirectURL. As you probably know this is the URL the auth provider will send the client to. We'll need to point it to the running ssh-inscribe daemon in order to validate the auth flow.
So for development I have set it to locahost here. The path part is important: /v1/auth_callback/{{nameOfTheAuthenticator}}
.
If you are running the ssh-inscribe behind a load balancer you must devise a way to route the client to the same instance where the auth flow was started. If you only have a single instance, you can just set the redirectURL to the public hostname (and port) of the ssh-inscribe daemon. The only important thing is that the redirectURL must point to the current instance of the ssh-inscribe daemon.
Other config values include:
- timeout: timeout of the request(s) to OIDC provider
- authFlowTimeout: how long the started auth flow is kept in memory before evicting. The authentication must be completed in this time
- maxPendingAuthAttempts: how many pending auth attempts to hold in memory
- valueMappings.subjectNameField: from which jwt claims field to get the subject
- valueMappings.principalsField: from which jwt claims field to get the principals. This accepts either a single value of array of values in the JWT claim.
- valueMappings.subjectNameTemplate: allows mutating the value from JWT using go template
- valueMappings.principalTemplate: same thing as above from principals
Hope this helps. If you are willing, please do document your experience with Keycloak. That could benefit other users.
Anton Aksola
from ssh-inscribe.
Related Issues (7)
- Support multiple certificates on ssh-inscribe server HOT 1
- More than 256 principals HOT 13
- sshi build for arm based mac HOT 1
- MFA HOT 1
- RFE: upgrade cobra to >= v1.3.0 HOT 1
- RFE: support aes256-ctr keys HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssh-inscribe.