sso: support multiple identity providers by jphines · Pull Request #212

sso: support multiple identity providers by jphines · Pull Request #212 · buzzfeed/sso

Problem

We've been walking down the path to support multiple identity providers in several previous iterations. This last remaining stand is how to support configuration for multiple and different identity providers. The existing configuration structure is pretty inflexible and rigid when it comes to defining configuration, especially given our constraint to use environment variables.

We previously introduced viper to help solve some of these problems, but viper proved frustrating and lacking enough opinion to operate within. We roll that solution back here and instead use https://micro.mu/docs/go-config.html

Solution

We introduced a new configuration component based on https://micro.mu/docs/go-config.html to build this new, more complicated configuration mechanism. This is a ground-up re-write of the configuration mechanism we use, found separately in configuration.go.

Notes

This now looks like:

### session
SESSION COOKIE_NAME
SESSION_COOKIE_SECRET
SESSION_COOKIE_EXPIRE
SESSION_COOKIE_DOMAIN
SESSION_COOKIE_REFRESH
SESSION_COOKIE_SECURE
SESSION_COOKIE_HTTPONLY
SESSION_LIFETIME
SESSION_KEY


### client
CLIENT_PROXY_ID
CLIENT_PROXY_SECRET


### provider config for google
PROVIDER_*_TYPE
PROVIDER_*_SLUG
PROVIDER_*_CLIENT_ID
PROVIDER_*_CLIENT_SECRET
PROVIDER_*_SCOPE

### google specific 
PROVIDER_*_GOOGLE_CREDENTIALS
PROVIDER_*_GOOGLE_IMPERSONATE

### okta specific
PROVIDER_*_OKTA_URL
PROVIDER_*_OKTA_SERVER

### group refresh
PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH
PROVIDER_*_GROUPCACHE_INTERVAL_PROVIDER


# server config
SERVER_SCHEME
SERVER_HOST
SERVER_PORT
SERVER_TIMEOUT_REQUEST
SERVER_TIMEOUT_WRITE
SERVER_TIMEOUT_READ


# authorize config
AUTHORIZE_PROXY_DOMAINS
AUTHORIZE_EMAIL_DOMAINS
AUTHORIZE_EMAIL_ADDRESSES


# metrics config 
METRICS_STATSD_PORT
METRICS_STATSD_HOST


# logging config
LOGGING_ENABLE
LOGGING_LEVEL