Skip to content

Commit

Permalink
Add Okta auth (#123)
Browse files Browse the repository at this point in the history 
* Make azure auth more generic

* Add okta auth

* Setup redirect

* Fix manifests auth issue
  • Loading branch information
@alexbrazier
alexbrazier committed Dec 12, 2020
1 parent 0dbf615 commit 069569a
Show file tree
Hide file tree
Showing 13 changed files with 533 additions and 191 deletions.
2 changes: 1 addition & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ yarn-error.log*
/.env
*.old
/data

/api/.env
59 changes: 31 additions & 28 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ A simple URL shortener written in Go with a React frontend and Postgres database
- Opensearch integration to provide suggestions directly to browser
- Frontend to view most popular searches and search to find existing links
- Frontend to allow anyone to add and edit links
- Optional authentication using Azure AD
- Optional authentication using Azure AD or Okta
- Slack `/` command integration
- Slackbot integration

Expand Down Expand Up @@ -79,33 +79,36 @@ POSTGRES_PASS=password HOSTS=localhost APP_URI=http://localhost:3000 go run serv

## Enviroment Configuration

| Env Var | Required | Default | Example | Description |
| --------------------------- | -------- | -------------- | ---------------------------- | ------------------------------------------------------------------------------------------------------ |
| `HOSTS` | yes | | go.domain.com,go2.domain.com | List of comma separated hosts that the server will be able to be accessed from |
| `BLOCKED_HOSTS` | | | go.domain.com,go2.domain.com | List of hosts you want to block from being linked - HOSTS are already included to stop recursive calls |
| `APP_URI` | yes | | https://go.domain.com | Default URI of app - used to link back to app |
| `PORT` | | 1323 | | Port the app will run on |
| `DEBUG` | | false | | Enable more logging |
| `JSON_LOGS` | | false | | Use JSON logs where possible |
| `POSTGRES_ADDR` | | localhost:5432 | | Postgres db address |
| `POSTGRES_DATABASE` | | go | | Postgres db name |
| `POSTGRES_USER` | | postgres | | Postgres user |
| `POSTGRES_PASS` | | password | | Postgres password |
| `SLACK_TOKEN` | | | xoxb-xxxxxxxxx-xxxxxxxx-xxxx | Slack OAuth token to enable slackbot |
| `SENTRY_API_DSN` | | | | Sentry DSN for go API |
| `SENTRY_FRONTEND_DSN` | | | | Sentry DSN for react frontend |
| `SLACK_SIGNING_SECRET` | | | xxxxxxxxxxx | Slack signing secret to enable Slack `/go` command |
| `SLACK_TEAM_ID` | | | Txxxxxxxx | Slack team id to restrict slash command responses to single team |
| `ENABLE_AUTH` | | false | | Enable Azure auth or not - if enabled, all other fields must be filled in |
| `AUTH_EXPIRY_SECONDS` | | 2592000 | | Auth cookie expiry (default 30 days) |
| `SECURE_COOKIES` | | true | | Use secure https only cookies |
| `AD_TENANT_ID` | | | | Azure AD tenant ID |
| `AD_CLIENT_ID` | | | | Azure AD client ID |
| `AD_CLIENT_SECRET` | | | | Azure AD client secret |
| `SESSION_TOKEN` | | | | Secret session token to store the user sessions |
| `ALLOWED_IPS` | | | 110.1.10.2,1.1.22.0/24 | IP addresses or CIDRs that are always allowed access, even with auth enabled |
| `ALLOW_FORWARDED_FOR` | | false | | Retrieve origin IP from X-Forwarded-For header. Only enable if source is trusted, e.g. via Cloudfront |
| `FORWARDED_FOR_TRUST_LEVEL` | | 1 | | Number of levels to trust X-Forwarded-For header - should map to number of proxies used |
| Env Var | Required | Default | Example | Description |
| --------------------------- | -------- | -------------- | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| `HOSTS` | yes | | go.domain.com,go2.domain.com | List of comma separated hosts that the server will be able to be accessed from |
| `BLOCKED_HOSTS` | | | go.domain.com,go2.domain.com | List of hosts you want to block from being linked - HOSTS are already included to stop recursive calls |
| `APP_URI` | yes | | https://go.domain.com | Default URI of app - used to link back to app |
| `PORT` | | 1323 | | Port the app will run on |
| `DEBUG` | | false | | Enable more logging |
| `JSON_LOGS` | | false | | Use JSON logs where possible |
| `POSTGRES_ADDR` | | localhost:5432 | | Postgres db address |
| `POSTGRES_DATABASE` | | go | | Postgres db name |
| `POSTGRES_USER` | | postgres | | Postgres user |
| `POSTGRES_PASS` | | password | | Postgres password |
| `SLACK_TOKEN` | | | xoxb-xxxxxxxxx-xxxxxxxx-xxxx | Slack OAuth token to enable slackbot |
| `SENTRY_API_DSN` | | | | Sentry DSN for go API |
| `SENTRY_FRONTEND_DSN` | | | | Sentry DSN for react frontend |
| `SLACK_SIGNING_SECRET` | | | xxxxxxxxxxx | Slack signing secret to enable Slack `/go` command |
| `SLACK_TEAM_ID` | | | Txxxxxxxx | Slack team id to restrict slash command responses to single team |
| `ENABLE_AUTH` | | false | | Enable Azure auth or not - if enabled, all other fields must be filled in |
| `AUTH_EXPIRY_SECONDS` | | 2592000 | | Auth cookie expiry (default 30 days) |
| `SECURE_COOKIES` | | true | | Use secure https only cookies |
| `AD_TENANT_ID` | | | | Azure AD tenant ID |
| `AD_CLIENT_ID` | | | | Azure AD client ID |
| `AD_CLIENT_SECRET` | | | | Azure AD client secret |
| `OKTA_CLIENT_ID` | | | | Okta client ID |
| `OKTA_CLIENT_SECRET` | | | | Okta client secret |
| `OKTA_ISSUER` | | | https://dev-123.oktapreview.com/oauth2/default | Okta issuer url |
| `SESSION_TOKEN` | | | | Secret session token to store the user sessions |
| `ALLOWED_IPS` | | | 110.1.10.2,1.1.22.0/24 | IP addresses or CIDRs that are always allowed access, even with auth enabled |
| `ALLOW_FORWARDED_FOR` | | false | | Retrieve origin IP from X-Forwarded-For header. Only enable if source is trusted, e.g. via Cloudfront |
| `FORWARDED_FOR_TRUST_LEVEL` | | 1 | | Number of levels to trust X-Forwarded-For header - should map to number of proxies used |

## FAQ

Expand Down
9 changes: 9 additions & 0 deletions api/.env.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
HOSTS=localhost
APP_URI=http://localhost:1323
POSTGRES_ADDR=localhost:32768
ENABLE_AUTH=false
#OKTA_CLIENT_ID=
#OKTA_CLIENT_SECRET=
#OKTA_ISSUER=https://dev-123.oktapreview.com/oauth2/default
SESSION_TOKEN=1234
SECURE_COOKIES=false
57 changes: 57 additions & 0 deletions api/Gopkg.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions api/Gopkg.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,11 @@
[[constraint]]
name = "github.com/getsentry/sentry-go"
version = "0.5.1"

[[constraint]]
name = "github.com/joho/godotenv"
version = "1.3.0"

[[constraint]]
name = "github.com/okta/okta-jwt-verifier-golang"
version = "1.0.0"
9 changes: 9 additions & 0 deletions api/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ type Specification struct {
AllowForwardedFor bool `envconfig:"ALLOW_FORWARDED_FOR"`
ForwardedForTrustLevel int `envconfig:"FORWARDED_FOR_TRUST_LEVEL" default:"1"`
SentryDSN string `envconfig:"SENTRY_API_DSN"`
OktaClientID string `envconfig:"OKTA_CLIENT_ID"`
OktaClientSecret string `envconfig:"OKTA_CLIENT_SECRET"`
OktaIssuer string `envconfig:"OKTA_ISSUER"`
}

// Auth config
Expand All @@ -46,6 +49,9 @@ type Auth struct {
ForwardedForTrustLevel int
MaxAge int
SecureCookies bool
OktaClientID string
OktaClientSecret string
OktaIssuer string
}

// Database config
Expand Down Expand Up @@ -106,6 +112,9 @@ func Init() {
ForwardedForTrustLevel: spec.ForwardedForTrustLevel,
MaxAge: spec.AuthExpirySeconds,
SecureCookies: spec.SecureCookies,
OktaClientID: spec.OktaClientID,
OktaClientSecret: spec.OktaClientSecret,
OktaIssuer: spec.OktaIssuer,
}
config.Database = Database{
Addr: spec.PostgresAddr,
Expand Down
Loading

0 comments on commit 069569a

Please sign in to comment.