#266 add cookie.domain when allowAllUsers: true

vouch · Jul 10, 2020 · d5939fc · d5939fc
1 parent 6e3cc77
commit d5939fc
Show file tree

Hide file tree

Showing 9 changed files with 86 additions and 29 deletions.
diff --git a/config/config.yml_example_adfs b/config/config.yml_example_adfs
@@ -5,14 +5,21 @@ vouch:
   # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate to ADFS
   allowAllUsers: true
 
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    # secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    #  domain: yourdomain.com
+
+
 oauth:
   provider: adfs
   client_id: k8s
   client_secret: sauceSecret
-  auth_url: https://adfs.example.com/adfs/oauth2/authorize/
-  token_url: https://adfs.example.com/adfs/oauth2/token/
+  auth_url: https://adfs.yourdomain.com/adfs/oauth2/authorize/
+  token_url: https://adfs.yourdomain.com/adfs/oauth2/token/
   scopes:
     - openid
     - email
     - profile
-  callback_url: https://vouch.example.com/auth
+  callback_url: https://vouch.yourdomain.com/auth
diff --git a/config/config.yml_example_gitea b/config/config.yml_example_gitea
@@ -4,19 +4,26 @@
 
 vouch:
   domains:
-  - vouch.example
+  - yourdomain.com
 
   # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at Gitea
   # allowAllUsers: true
 
+  # cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    # secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    # domain: yourdomain.com
+
+
 oauth:
-  # replace "gitea.example" with the domain your Gitea instance runs on
+  # replace "gitea.yourdomain.com" with the domain your Gitea instance runs on
   # create a new OAuth application at:
-  # https://gitea.example/user/settings/applications
+  # https://gitea.yourdomain.com/user/settings/applications
   provider: github
   client_id: xxxxxxxxxxxxxxxxxxxx
   client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-  callback_url: https://vouch.example/auth
-  auth_url: https://gitea.example/login/oauth/authorize
-  token_url: https://gitea.example/login/oauth/access_token
-  user_info_url: https://gitea.example/api/v1/user?token=
+  auth_url: https://gitea.yourdomain.com/login/oauth/authorize
+  token_url: https://gitea.yourdomain.com/login/oauth/access_token
+  user_info_url: https://gitea.yourdomain.com/api/v1/user?token=
+  callback_url: https://yourdomain.com/auth
diff --git a/config/config.yml_example_github b/config/config.yml_example_github
@@ -15,6 +15,13 @@ vouch:
   # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at GitHub
   # allowAllUsers: true
 
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    #  domain: yourdomain.com
+
+
   # set teamWhitelist: to list of teams and/or GitHub organizations
   # When putting an organization id without a slash, it will allow all (public) members from the organization.
   # The client will try to read the private organization membership using the client credentials, if that's not possible

diff --git a/config/config.yml_example_github_enterprise b/config/config.yml_example_github_enterprise
@@ -8,13 +8,21 @@ vouch:
   # each of these domains must serve the url https://login.$domains[0] https://login.$domains[1] ...
   # the callback_urls will be to these domains
   domains:
-  - yoursite.com
+  - yourdomain.com
   - yourothersite.io
 
   # - OR -
   # instead of setting specific domains you may prefer to allow all users...
   # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
   # allowAllUsers: true
+
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    #  domain: yourdomain.com
+
+
   # set teamWhitelist: to list of teams and/or GitHub organizations
   # When putting an organization id without a slash, it will allow all (public) members from the organization.
   # The client will try to read the private organization membership using the client credentials, if that's not possible
@@ -28,17 +36,17 @@ vouch:
 
 oauth:
   # create a new OAuth application at:
-  # https://githubenterprise.yoursite.com/settings/applications/new
+  # https://githubenterprise.yourdomain.com/settings/applications/new
   provider: github
   client_id: xxxxxxxxxxxxxxxxxxxx
   client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-  auth_url: https://githubenterprise.yoursite.com/login/oauth/authorize
-  token_url: https://githubenterprise.yoursite.com/login/oauth/access_token
-  user_info_url: https://githubenterprise.yoursite.com/api/v3/user?access_token=
+  auth_url: https://githubenterprise.yourdomain.com/login/oauth/authorize
+  token_url: https://githubenterprise.yourdomain.com/login/oauth/access_token
+  user_info_url: https://githubenterprise.yourdomain.com/api/v3/user?access_token=
   # relevant only if teamWhitelist is configured; colon-prefixed parts are parameters that
   # will be replaced with the respective values.
-  user_team_url: https://githubenterprise.yoursite.com/api/v3/orgs/:org_id/teams/:team_slug/memberships/:username?access_token=
-  user_org_url: https://githubenterprise.yoursite.com/api/v3/orgs/:org_id/members/:username?access_token=
+  user_team_url: https://githubenterprise.yourdomain.com/api/v3/orgs/:org_id/teams/:team_slug/memberships/:username?access_token=
+  user_org_url: https://githubenterprise.yourdomain.com/api/v3/orgs/:org_id/members/:username?access_token=
   # these GitHub OAuth defaults are set for you..
   # scopes:
   #   - user

diff --git a/config/config.yml_example_google b/config/config.yml_example_google
@@ -6,7 +6,17 @@ vouch:
   domains:
   - yourdomain.com
   - yourotherdomain.com
-
+
+  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at Gitea
+  # allowAllUsers: true
+
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    #  domain: yourdomain.com
+
+
 oauth:
   provider: google
   # get credentials from...
@@ -16,5 +26,5 @@ oauth:
   callback_urls: 
     - http://yourdomain.com:9090/auth
     - http://yourotherdomain.com:9090/auth
-  preferredDomain: yourdomain.com
-  # endpoints set from https://godoc.org/golang.org/x/oauth2/google
+  preferredDomain: yourdomain.com # be careful with this option, it may conflict with chrome on Android 
+  # endpoints are set from https://godoc.org/golang.org/x/oauth2/google
diff --git a/config/config.yml_example_homeassistant b/config/config.yml_example_homeassistant
@@ -11,18 +11,20 @@ vouch:
   domains:
   - yourdomain.com
 
-  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
-  allowAllUsers: false
+  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at Gitea
+  # allowAllUsers: true
+
+  # cookie:
+    # secure: false           # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    # domain: yourdomain.com  # vouch.cookie.domain must be set when enabling allowAllUsers
+
 
   # whiteList - (optional) allows only the listed usernames
   # usernames are usually email addresses (google, most oidc providers) or login/username for github and github enterprise
   # using static value for HomeAssistant
   whiteList:
   - homeassistant
 
-  # Setting publicAccess: true will accept all requests, even without a cookie. 
-  publicAccess: false
-
 oauth:
   # HomeAssistant Auth
   # HomeAssistant typically uses a port in the url (8123 by default) and this maybe required for the auth_url and token_url 

diff --git a/config/config.yml_example_indieauth b/config/config.yml_example_indieauth
@@ -6,12 +6,18 @@ vouch:
   # domains:
   # valid domains that the jwt cookies can be set into
   # the callback_urls will be to these domains
-  domains:
-  - yourdomain.com
+  # domains:
+  # - yourdomain.com
 
   # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
   allowAllUsers: true
 
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    # domain: yourdomain.com
+
   # Setting publicAccess: true will accept all requests, even without a cookie. 
   publicAccess: true
 

diff --git a/config/config.yml_example_nextcloud b/config/config.yml_example_nextcloud
@@ -15,6 +15,12 @@ vouch:
   # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
   # allowAllUsers: true
 
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    # domain: yourdomain.com
+
 oauth:
   # This assumes usage of pretty URLs otherwise add /index.php/
   # to start of URL path

diff --git a/config/config.yml_example_oidc b/config/config.yml_example_oidc
@@ -15,8 +15,12 @@ vouch:
   # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
   # and set vouch.cookie.domain to the domain you wish to protect
   # allowAllUsers: true
-  # cookie:
-  #   domain: yourdomain.com
+
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
+    secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    # domain: yourdomain.com
 
 oauth:
   # Generic OpenID Connect