-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No Documentation on callback URL for OIDC #25
Comments
Hey, Thanks for reaching out. Yeah, this is something that isn't documented. I'm happy to accept any PRs to improve docs per provider basis. Right now I don't have a production setup using the OIDC auth mechanism. However, previously I have used Google and Microsoft ADFS successfully. Here is an example configuration for google: authoidc:
name: google
realm: my google auth
timeout: 15
clientID: REDACTED.apps.googleusercontent.com
clientSecret: REDACTED
authFlowTimeout: 240
maxPendingAuthAttempts: 1000
scopes:
- openid
- email
- profile
redirectURL: https://localhost:8540/v1/auth_callback/google
providerURL: https://accounts.google.com
valueMappings:
subjectNameField: name
subjectNameTemplate: '{{.}}'
principalsField: email
principalTemplate: '{{.}}'
principals: []
criticalOptions: {}
extensions:
permit-pty: ""
permit-user-rc: ""
permit-agent-forwarding: ""
permit-X11-forwarding: "" So your question was about redirectURL. As you probably know this is the URL the auth provider will send the client to. We'll need to point it to the running ssh-inscribe daemon in order to validate the auth flow. So for development I have set it to locahost here. The path part is important: Other config values include:
Hope this helps. If you are willing, please do document your experience with Keycloak. That could benefit other users. Anton Aksola |
HI,
I'm trying to setup ssh-inscribe with OIDC. I'm using a KeyCloak with external User Federation.
So far, ssh-inscribe is sending the requests to KeyCloak. The users are being correctly authenticated. But, we are strugling with the "redirectURL" option on config.yaml. What is the expected URL here? My understanding is that it should be an URL from ssh-inscribe itself, such as
https://<ssh-inscribe-url>/oauth/verify
, but I was enable to find the correct URL.Can you add an example to the Documentation/Readme?
Regards,
Bruno Costa
The text was updated successfully, but these errors were encountered: