Oh this isn't the login/logout commit, this is the callback validation. Yes please post a config.

Are users restricted to the domains in the callback(s)? What happens when you use those domains in vouch.domains? Does that meet your use case?

Upon further inspection there is probably a bug here related to the /login work, but it may be oauth.provider specific.

Hey,

thanks for looking into this. we use the following config which worked just fine up until we updated to the latest version of vouch proxy last week.

vouch:
  logLevel: debug
  #domains:
  #  - example.com
configured provider
  allowAllUsers: true
  jwt:
    secret: redacted
    issuer: redacted
    maxAge: 6000
  headers:
    claims:
      - groups
  testing: false
  cookie:
    maxAge: 6000
    secure: true
oauth:
  provider: oidc
  client_id: redacted
  client_secret: redacted
  auth_url: https://redacted.oktapreview.com/oauth2/default/v1/userinfo
  token_url: https://redacted.oktapreview.com/oauth2/default/v1/userinfo
  user_info_url: https://redacted.oktapreview.com/oauth2/default/v1/userinfo
  callback_url: https://example.com/auth

When we add the commented out domains section, it works again. However, we liked the previous behaviour where we didnt have to specify that.
We are using the OKTA OIDC provider if that's important to know.

In the commit I linked in my initial post, I saw that the following was removed:
if !viper.IsSet(Branding.LCName + ".allowAllUsers") {
which in my understanding now causes vouch proxy to always validate the domains no matter what allowAllUsers is set to. There might be a good reason for that, but I would have expected it to work differently based on the what the config file says. Should domains still be validated even though that flag is set?

I ask because in your OP you mention...

and use the respective callback urls we pass during that process

which made me think you were using oauth.callback_urls not oauth.callback_url

I believe this is fixed in master though you'll likely need to add vouch.cookie.domain: example.com

Please do test and let me know what you find.

@betagan ^^

@betagan have you had an opportunity to test the fix? If you are no longer working this issue could you please close.

Hi,
Probably I had the same issue (and misunderstanding of the configuration?).
Please let me confirm I could understand correctly.

I'm using 0.15.7 (Latest docker image) with Okta. The configuration is on my gist.
I recently started using vouch-proxy so I don't know how it worked before.

The config.yml_example_oidc tells to choose either specifying the domains or 'allowAllUsers: true'.

With 'allowAllUsers: true' only, vouch-proxy gets the following error.

configuration error: oauth.callback_url (https://vouch.example.com/auth) must be within a configured domains where the cookie will be set: either vouch.domains [] or vouch.cookie.domain

If I set both 'domains:' and 'allowAllUsers: true' according to the error message above, it returns;

configuration error: either one of vouch.domains or vouch.allowAllUsers needs to be set (but not both)

Finally, according to your comment above, manually adding the configurations worked fine.

I believe this is fixed in master though you'll likely need to add vouch.cookie.domain: example.com

vouch:
  allowAllUsers: true

  # Manually add the following lines
  cookie:
    domain: example.com

If it's the right way to enable 'allowAllUsers: true' to avoid listing all the related domains in the vouch.domains, it will be very helpful to add some description of the vouch.cookie.domain in the example files. I found there are descriptions about this parameter in the README, but I couldn't find out when to set this.

It seems my understanding was correct since @bnfinet changed the label.
I'll have a look at config file examples this weekend to add descriptions about vouch.cookie.domain.

@yaws-k yes that's right

Sorry I should have replied explicitly. It's on my list to review/update the docs regarding that but I won't be able to pay attention to this until next week. PRs are of course always appreciated.

Thanks much.

@bnfinet
Thank you for the clarification. Then I'll send a PR for config examples as a kind of candidate. Please review them if they are accurate when you have time. (They need to be checked since I'm not familiar with the golang and I don't have all environments for testing.)

thanks @yaws-k for the documentation fix