This repository has been archived by the owner on Apr 25, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Documentation on a solution for Google SSO. This solution is in production for Embark Studios, and therefor validated working.
- Loading branch information
Showing
1 changed file
with
131 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,131 @@ | ||
| # Google SSO Implementation | ||
|
|
||
| This is a short documentation on how you can setup wg-ui and Google OAuth. | ||
|
|
||
| There are a few different projects on GitHub related to SSO and OAuth2, the most popular just now is [oauth2-proxy/oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) but we at Embark Studios opted to use [buzzfeed/sso](https://github.com/buzzfeed/sso). This was done before the growth of oauth2-proxy. | ||
|
|
||
| ## SSO Proxy & Auth | ||
|
|
||
| When setting up [buzzfeed/sso](https://github.com/buzzfeed/sso) we followed the quickstart documentation provided by the project found [here](https://github.com/buzzfeed/sso/blob/master/docs/quickstart.md). | ||
| In our setup we use the binaries provided by releases, and not a docker based solution. | ||
|
|
||
| ## Systemd | ||
|
|
||
| Below is two simple services to keep both `sso-auth` and `sso-proxy` running. | ||
| As you can notice we use environment files instead of parameters for the binaries. | ||
|
|
||
| ``` | ||
| [Unit] | ||
| Description=sso-auth | ||
| After=network.target | ||
| [Service] | ||
| Type=simple | ||
| Restart=always | ||
| EnvironmentFile=/path/to/sso-auth.env | ||
| ExecStart=/path/to/sso-auth | ||
| [Install] | ||
| WantedBy=multi-user.target | ||
| ``` | ||
| ``` | ||
| SESSION_COOKIE_SECURE=true | ||
| SESSION_COOKIE_HTTPONLY=true | ||
| SESSION_COOKIE_DOMAIN=.domain.com | ||
| SESSION_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ||
| SESSION_COOKIE_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ||
| CLIENT_PROXY_ID=<shared with proxy's environment file> | ||
| CLIENT_PROXY_SECRET=<shared with proxy's environment file> | ||
| SERVER_SCHEME=https | ||
| SERVER_HOST=sso.domain.com | ||
| SERVER_PORT=8000 | ||
| AUTHORIZE_EMAIL_DOMAINS=domain.com | ||
| AUTHORIZE_PROXY_DOMAINS=domain.com | ||
| PROVIDER_DOMAIN_CLIENT_ID=123456789000-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.apps.googleusercontent.com | ||
| PROVIDER_DOMAIN_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXX | ||
| PROVIDER_DOMAIN_TYPE=google | ||
| PROVIDER_DOMAIN_SLUG=google | ||
| VIRTUAL_HOST=sso.domain.com | ||
| CLUSTER=sso | ||
| STATSD_HOST=127.0.0.1 | ||
| STATSD_PORT=8125 | ||
| ``` | ||
|
|
||
| ``` | ||
| [Unit] | ||
| Description=sso-proxy | ||
| After=network.target | ||
| [Service] | ||
| Type=simple | ||
| Restart=always | ||
| EnvironmentFile=/path/to/sso-proxy.env | ||
| ExecStart=/path/to/sso-proxy | ||
| [Install] | ||
| WantedBy=multi-user.target | ||
| ``` | ||
| ``` | ||
| DEFAULT_ALLOWED_EMAIL_DOMAINS=domain.com | ||
| UPSTREAM_CONFIGS=/path/to/upstream_configs.yaml | ||
| PROVIDER_URL=https://sso.domain.com | ||
| PROVIDER_URL_INTERNAL=http://localhost:8000 | ||
| CLIENT_ID=<shared with auth's environment file> | ||
| CLIENT_SECRET=<shared with auth's environment file> | ||
| COOKIE_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | ||
| COOKIE_SECURE=true | ||
| VIRTUAL_HOST=*.domain.com | ||
| CLUSTER=sso | ||
| STATSD_HOST=127.0.0.1 | ||
| STATSD_PORT=8125 | ||
| ``` | ||
|
|
||
| You will also need a yaml file which defines backend service (wg-ui) which is defined in sso-proxy.env as `UPSTREAM_CONFIGS` | ||
|
|
||
| ``` | ||
| - service: wg-ui | ||
| default: | ||
| from: vpn.domain.com | ||
| to: http://localhost:8080/ | ||
| ``` | ||
|
|
||
| ## nginx | ||
|
|
||
| We use nginx for all HTTP(S) to endusers, below you can find an example for configuration. | ||
|
|
||
| ``` | ||
| server { | ||
| listen 443 http2; | ||
| listen [::]:443 http2; | ||
| server_name vpn.domain.com; | ||
| ssl on; | ||
| ssl_certificate /path/to/domain.com.bundle.crt; | ||
| ssl_certificate_key /path/to/domain.com.key; | ||
| location / { | ||
| proxy_set_header Host $host; | ||
| proxy_set_header X-Real-IP $remote_addr; | ||
| proxy_set_header X-Forwarded-Proto https; | ||
| proxy_pass http://localhost:4180; | ||
| } | ||
| } | ||
| server { | ||
| listen 443 http2; | ||
| listen [::]:443 http2; | ||
| server_name sso.domain.com; | ||
| ssl on; | ||
| ssl_certificate /path/to/domain.com.bundle.crt; | ||
| ssl_certificate_key /path/to/domain.com.key; | ||
| location / { | ||
| proxy_set_header Host $host; | ||
| proxy_set_header X-Real-IP $remote_addr; | ||
| proxy_set_header X-Forwarded-Proto https; | ||
| proxy_pass http://localhost:8000; | ||
| } | ||
| } | ||
| ``` |