google: allow to specify suggested domain #2
Conversation
As per the Google OIDC docs, the `hd` parameter may be used to suggest the domain the user may login with: https://developers.google.com/identity/protocols/oauth2/openid-connect#hd-param In effect, the Google account chooser only displays accounts with that very domain, which simplifies the process for users with very long account lists.
|
@com6056 it doesn't seem I can request a review on this repo but this seems up your alley! |
| @@ -14,6 +14,7 @@ type Google struct { | |||
| ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"` | |||
| Scope string | |||
| Prompt string `long:"prompt" env:"PROMPT" default:"select_account" description:"Space separated list of OpenID prompt options"` | |||
| EmailDomain string `long:"email-domain" env:"EMAIL_DOMAIN" description:"Email domain the user is suggested to login with"` | |||
There was a problem hiding this comment.
any chance we can just use the same domain as specified with --domain so we don't have to specify it twice? although looks like it would allow multiple domains, maybe we can just grab the first one: https://github.com/muxinc/traefik-forward-auth/blob/master/internal/config.go#L35
There was a problem hiding this comment.
Up to you if you want me to go down that route. I would prefer to just add the 2nd config, because these map to independent parameters in Google's OpenID Connect flow and have slightly different purposes. Also it seems unlikely we will ever need to change the domains we're authenticating against, so that config overhead is pretty low IMO.
Plus if we use a trick like "always grab the first entry from domains" then there's more potential to break this by accidentally specifying the domain list in the "wrong" order.
There was a problem hiding this comment.
Makes sense, this approach works for me, thanks!
|
FYI I'm not an owner here so I can't take this any further than opening the PR :) |
This pulls in thomseddon#293, whose description reads:
This will let us restrict our auth wall to only show accounts from the Mux domain, simplifying the auth wall flow if anybody happens to be logged in to other Google accounts.