diff --git a/config/config.yml_example b/config/config.yml_example index 74598846..f543c66b 100644 --- a/config/config.yml_example +++ b/config/config.yml_example @@ -11,6 +11,12 @@ vouch: listen: 0.0.0.0 port: 9090 + # testing: force all 302 redirects to be rendered as a webpage with a link + # if you're having difficulty with constant redirects, please do turn on testing + # testing: true + # test_url: add this URL to the page which vouch displays as a convenience for testing + test_url: http://yourdomain.com + # domains: # each of these domains must serve the url https://vouch.$domains[0] https://vouch.$domains[1] ... # so that the cookie which stores the JWT can be set in the relevant domain @@ -75,22 +81,19 @@ vouch: jwt: X-Vouch-Token querystring: access_token redirect: X-Vouch-Requested-URI - # If idToken is defined, all valid requests to /validate will receive a header (defined in the value) containing the id_token from the OpenID Provider - # If idToken is empty or undefined, no header will be added - # This will make the response largerwich in turn can affect the response time - # idToken: x-vouch-idtoken - # If accessToken is defined, all valid requests to /validate will receive a header (defined in the value) containing the access_token from the OpenID Provider - # If accessToken is empty or undefined, no header will be added - # This will make the response larger wich in turn can affect the response time - # accessToken: x-vouch-accesstoken + # If idpIDToken is defined, the `id_token` from the OpenID Provider will be returned by /validate in the configured header + # idpIDToken: X-Vouch-IdP-IDToken + # If idpAccessToken is defined, the `access_token` from the OpenID Provider will be returned by /validate in the configured header + # idpAccessToken: X-Vouch-IdP-AccessToken + # If either idpIDToken or idpAccessToken is empty or undefined, no header will be added + # a note on idp headers: + # Unless your application will make use of these headers there is no reason you should expose these tokens. + # They are not used by Vouch Proxy for validation. Including these headers will make the response slightly larger which may + # incur a marginal performance penalty db: file: data/vouch_bolt.db - # testing: force all 302 redirects to be rendered as a webpage with a link - testing: true - # test_url: add this URL to the page which vouch displays - test_url: http://yourdomain.com # webapp: WIP for web interface to vouch (mostly logs) webapp: true diff --git a/handlers/handlers.go b/handlers/handlers.go index 62dfccff..e99d8665 100644 --- a/handlers/handlers.go +++ b/handlers/handlers.go @@ -192,11 +192,11 @@ func ValidateRequestHandler(w http.ResponseWriter, r *http.Request) { } w.Header().Add(cfg.Cfg.Headers.User, claims.Username) - if cfg.Cfg.Headers.IDToken != "" { - w.Header().Add(cfg.Cfg.Headers.IDToken, claims.IDToken) + if cfg.Cfg.Headers.IdpIDToken != "" { + w.Header().Add(cfg.Cfg.Headers.IdpIDToken, claims.IDToken) } - if cfg.Cfg.Headers.AccessToken != "" { - w.Header().Add(cfg.Cfg.Headers.AccessToken, claims.AccessToken) + if cfg.Cfg.Headers.IdpAccessToken != "" { + w.Header().Add(cfg.Cfg.Headers.IdpAccessToken, claims.AccessToken) } w.Header().Add(cfg.Cfg.Headers.Success, "true") log.WithFields(log.Fields{cfg.Cfg.Headers.User: w.Header().Get(cfg.Cfg.Headers.User)}).Debug("response header") @@ -255,6 +255,8 @@ func LogoutHandler(w http.ResponseWriter, r *http.Request) { } } +// HealthcheckHandler returns json "ok" (we're alive!) +// TODO: add additional checks! func HealthcheckHandler(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") fmt.Fprintf(w, "{ \"ok\": true }") diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 28a31186..acc0ed4b 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -41,13 +41,13 @@ type config struct { HTTPOnly bool `mapstructure:"httpOnly"` } Headers struct { - JWT string `mapstructure:"jwt"` - IDToken string `mapstructure:"idToken"` - AccessToken string `mapstructure:"accessToken"` - User string `mapstructure:"user"` - QueryString string `mapstructure:"querystring"` - Redirect string `mapstructure:"redirect"` - Success string `mapstructure:"success"` + JWT string `mapstructure:"jwt"` + User string `mapstructure:"user"` + QueryString string `mapstructure:"querystring"` + Redirect string `mapstructure:"redirect"` + Success string `mapstructure:"success"` + IdpIDToken string `mapstructure:"idpIDToken"` + IdpAccessToken string `mapstructure:"idpAccessToken"` } DB struct { File string `mapstructure:"file"` @@ -356,11 +356,11 @@ func setDefaults() { if !viper.IsSet(Branding.LCName + ".headers.jwt") { Cfg.Headers.JWT = "X-" + Branding.CcName + "-Token" } - if !viper.IsSet(Branding.LCName + ".headers.idToken") { - Cfg.Headers.IDToken = "" + if !viper.IsSet(Branding.LCName + ".headers.idpIDToken") { + Cfg.Headers.IdpAccessToken = "" } - if !viper.IsSet(Branding.LCName + ".headers.accessToken") { - Cfg.Headers.AccessToken = "" + if !viper.IsSet(Branding.LCName + ".headers.idpAccessToken") { + Cfg.Headers.IdpAccessToken = "" } if !viper.IsSet(Branding.LCName + ".headers.querystring") { Cfg.Headers.QueryString = "access_token"