-
Notifications
You must be signed in to change notification settings - Fork 9
/
ssokenizer.yml
159 lines (139 loc) · 4.3 KB
/
ssokenizer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# Public part of tokenizer's keypair
seal_key: "$TOKENIZER_SEAL_KEY"
http:
# Where ssokenizer should listen
address: ":$PORT"
# Where users will be sent with the sealed token after the authenticating. The
# string `:name` will be replaced with the provider name. The string `:profile`
# will be replaced with the name of the provider profile. This can also be
# specified on individual providers bellow.
#
# return_url: "https://my.app/sso/:profile/:name/callback"
identity_providers:
# `google` here is the provider name. Users will go to
# https://<ssokenizer_url>/<provider_name>/start to start the oauth dance
google:
# Apps using sealed secrets with tokenizer will put this token in the
# `Proxy-Authorization` header.
secret_auth:
bearer: "$PROXY_AUTH"
# amazon, bitbucket, facebook, github, gitlab, google, heroku, microsoft,
# slack, or oauth.
profile: google
# OAuth Client ID - received from identity provider
client_id: "$GOOGLE_CLIENT_ID"
# OAuth Client Secret - received from identity provider
client_secret: "$GOOGLE_CLIENT_SECRET"
# where user should be sent with sealed OAuth token after authenticating
return_url: "$GOOGLE_RETURN_URL"
# OAuth scopes to request. Separate scopes with spaces to specify multiple
# scopes in the same line. This makes pulling them from environment
# variables easier.
scopes:
- "$GOOGLE_SCOPES"
# These fields only need to be specified when using a custom "oauth"
# provider profile.
#
# auth_url: $PROVIDER_AUTH_URL
# token_url: $PROVIDER_TOKEN_URL
github:
secret_auth:
bearer: "$PROXY_AUTH"
profile: github
client_id: "$GITHUB_CLIENT_ID"
client_secret: "$GITHUB_CLIENT_SECRET"
return_url: "$GITHUB_RETURN_URL"
scopes:
- "$GITHUB_SCOPES"
heroku:
secret_auth:
bearer: "$PROXY_AUTH"
profile: heroku
client_id: "$HEROKU_CLIENT_ID"
client_secret: "$HEROKU_CLIENT_SECRET"
return_url: "$HEROKU_RETURN_URL"
scopes:
- "$HEROKU_SCOPES"
# Same configurations except for name and return_url to allow authentication
# to staging environments with same OAuth client.
google_staging:
secret_auth:
bearer: "$PROXY_AUTH"
profile: google
client_id: "$GOOGLE_CLIENT_ID"
client_secret: "$GOOGLE_CLIENT_SECRET"
return_url: "$GOOGLE_STAGING_RETURN_URL"
scopes:
- "$GOOGLE_SCOPES"
google_staging_2:
secret_auth:
bearer: "$PROXY_AUTH"
profile: google
client_id: "$GOOGLE_CLIENT_ID"
client_secret: "$GOOGLE_CLIENT_SECRET"
return_url: "$GOOGLE_STAGING_2_RETURN_URL"
scopes:
- "$GOOGLE_SCOPES"
github_staging:
secret_auth:
bearer: "$PROXY_AUTH"
profile: github
client_id: "$GITHUB_CLIENT_ID"
client_secret: "$GITHUB_CLIENT_SECRET"
return_url: "$GITHUB_STAGING_RETURN_URL"
scopes:
- "$GITHUB_SCOPES"
github_staging_2:
secret_auth:
bearer: "$PROXY_AUTH"
profile: github
client_id: "$GITHUB_CLIENT_ID"
client_secret: "$GITHUB_CLIENT_SECRET"
return_url: "$GITHUB_STAGING_2_RETURN_URL"
scopes:
- "$GITHUB_SCOPES"
heroku_staging:
secret_auth:
bearer: "$PROXY_AUTH"
profile: heroku
client_id: "$HEROKU_CLIENT_ID"
client_secret: "$HEROKU_CLIENT_SECRET"
return_url: "$HEROKU_STAGING_RETURN_URL"
scopes:
- "$HEROKU_SCOPES"
heroku_staging_2:
secret_auth:
bearer: "$PROXY_AUTH"
profile: heroku
client_id: "$HEROKU_CLIENT_ID"
client_secret: "$HEROKU_CLIENT_SECRET"
return_url: "$HEROKU_STAGING_2_RETURN_URL"
scopes:
- "$HEROKU_SCOPES"
google_auth:
secret_auth:
bearer_digest: "$AUTH_DIGEST"
profile: google
client_id: "$GOOGLE_CLIENT_ID"
client_secret: "$GOOGLE_CLIENT_SECRET"
return_url: "$GOOGLE_AUTH_RETURN_URL"
scopes:
- "$GOOGLE_SCOPES"
github_auth:
secret_auth:
bearer_digest: "$AUTH_DIGEST"
profile: github
client_id: "$GITHUB_CLIENT_ID"
client_secret: "$GITHUB_CLIENT_SECRET"
return_url: "$GITHUB_AUTH_RETURN_URL"
scopes:
- "$GITHUB_AUTH_SCOPES"
vanta:
secret_auth:
bearer: "$PROXY_AUTH"
profile: vanta
client_id: "$VANTA_CLIENT_ID"
client_secret: "$VANTA_CLIENT_SECRET"
return_url: "$VANTA_RETURN_URL"
scopes:
- "$VANTA_AUTH_SCOPES"