github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-15 20:07:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(authn): handle the case where zot with openid runs behind a proxy (#1675)

Browse Source 
added a new config option under 'http' called externalURL which is used
by openid/oauth2 clients to redirect back to zot

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
This commit is contained in:
peusebiu
2023-08-09 19:11:21 +03:00
committed by GitHub
parent ed90e3bd24
commit 4d125d55ed
5 changed files with 320 additions and 259 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/README.md
+27 -1
View File
@@ -181,6 +181,8 @@ zot can be configured to use the above providers with:
```
{
"http": {
"address": "127.0.0.1",
"port": "8080",
"auth": {
"openid": {
"providers": {
@@ -207,7 +209,7 @@ zot can be configured to use the above providers with:
}
```
The login with either provider use http://127.0.0.1:8080/auth/login?provider=\<provider\>&callback_ui=http://127.0.0.1:8080/home
To login with either provider use http://127.0.0.1:8080/auth/login?provider=\<provider\>&callback_ui=http://127.0.0.1:8080/home
for example to login with github use http://127.0.0.1:8080/auth/login?provider=github&callback_ui=http://127.0.0.1:8080/home
callback_ui query parameter is used by zot to redirect to UI after a successful openid/oauth2 authentication
@@ -258,6 +260,30 @@ images to/from zot.
Given this limitation, if openif authentication is enabled in the configuration, API keys are also enabled
implicitly, as a viable alternative authentication method for pushing and pulling container images.
### OpenID/OAuth2 social login behind a proxy/load balancer
In the case of running zot with openid enabled behind a proxy/load balancer http.externalUrl should be provided.
```
"http": {
"address": "0.0.0.0",
"port": "8080",
"externalUrl: "https://zot.example.com",
"auth": {
"openid": {
"providers": {
"github": {
"clientid": <client_id>,
"clientsecret": <client_secret>,
"scopes": ["read:org", "user", "repo"]
}
}
}
}
}
```
This config value will be used by oauth2/openid clients to redirect back to zot.
### Session based login
Whenever a user logs in zot using any of the auth options available(basic auth/openid) zot will set a 'session' cookie on its response.
examples/config-openid.json
+1
View File
@@ -7,6 +7,7 @@
"http": {
"address": "127.0.0.1",
"port": "8080",
"externalUrl": "http://127.0.0.1:8080",
"realm": "zot",
"auth": {
"htpasswd": {