chronograf/docs/auth.md

## Chronograf with OAuth 2.0 (Github-style)

OAuth 2.0 Style Authentication


### Configuration

To use authentication in Chronograf, both Github OAuth and JWT signature need to be configured.

#### Configuring JWT signature

Set a [JWT](https://tools.ietf.org/html/rfc7519) signature to a random string. This is needed for all OAuth2 providers that you choose to configure. *Keep this random string around!*

You'll need it each time you start a chronograf server because it is used to verify user authorization. If you are running multiple chronograf servers in an HA configuration set the `TOKEN_SECRET` on each to allow users to stay logged in.

```sh
export TOKEN_SECRET=supersupersecret
```

# Github

#### Creating Github OAuth Application

To create a Github OAuth Application follow the [Register your app](https://developer.github.com/guides/basics-of-authentication/#registering-your-app) instructions.
Essentially, you'll register your application [here](https://github.com/settings/applications/new)

The `Homepage URL` should be Chronograf's full server name and port.  If you are running it locally for example, make it `http://localhost:8888`

The `Authorization callback URL` must be the location of the `Homepage URL` plus `/oauth/github/callback`.  For example, if `Homepage URL` was 
`http://localhost:8888` then the `Authorization callback URL` should be `http://localhost:8888/oauth/github/callback`.

Github will provide a `Client ID` and `Client Secret`.  To register these values with chronograf set the following environment variables:

* `GH_CLIENT_ID` 
* `GH_CLIENT_SECRET` 

For example:

```sh
export GH_CLIENT_ID=b339dd4fddd95abec9aa
export GH_CLIENT_SECRET=260041897d3252c146ece6b46ba39bc1e54416dc
```

#### Optional Github Organizations

To require an organization membership for a user, set the `GH_ORGS` environment variables
```sh
export GH_ORGS=biffs-gang
```

If the user is not a member, then the user will not be allowed access.

To support multiple organizations use a comma delimted list like so:

```sh
export GH_ORGS=hill-valley-preservation-sociey,the-pinheads
```

# Google

#### Creating Google OAuth Application

You will need to obtain a client ID and an application secret by following the steps under "Basic Steps" [here](https://developers.google.com/identity/protocols/OAuth2). Chronograf will also need to be publicly accessible via a fully qualified domain name so that Google properly redirects users back to the application.

This information should be set in the following ENVs:

* `GOOGLE_CLIENT_ID`
* `GOOGLE_CLIENT_SECRET`
* `PUBLIC_URL`

Alternatively, this can also be set using the command line switches:

* `--google-client-id`
* `--google-client-secret`
* `--public-url`

#### Optional Google Domains

Similar to Github's organization restriction, Google authentication can be restricted to permit access to Chronograf from only specific domains. These are configured using the `GOOGLE_DOMAINS` ENV or the `--google-domains` switch. Multiple domains are separated with a comma. For example, if we wanted to permit access only from biffspleasurepalace.com and savetheclocktower.com the ENV would be set as follows:

```sh
export GOOGLE_DOMAINS=biffspleasurepalance.com,savetheclocktower.com
```

# Heroku

#### Creating Heroku Application

To obtain a client ID and application secret for Heroku, you will need to follow the guide posted [here](https://devcenter.heroku.com/articles/oauth#register-client). Once your application has been created, those two values should be inserted into the following ENVs:

* `HEROKU_CLIENT_ID`
* `HEROKU_SECRET`

The equivalent command line switches are:

* `--heroku-client-id`
* `--heroku-secret`

#### Optional Heroku Organizations

Like the other OAuth2 providers, access to Chronograf via Heroku can be restricted to members of specific Heroku organizations. This is controlled using the `HEROKU_ORGS` ENV or the `--heroku-organizations` switch and is comma-separated. If we wanted to permit access from the `hill-valley-preservation-society` orgization and `the-pinheads` organization, we would use the following ENV:

```sh
export HEROKU_ORGS=hill-valley-preservation-sociey,the-pinheads
```
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00			`## Chronograf with OAuth 2.0 (Github-style)`
Initial commit of auth.md 2016-10-11 20:57:56 +00:00
OAuth 2.0 based auth flow. Intended first provider is Github/InfluxCloud 2016-10-12 19:31:26 +00:00			`OAuth 2.0 Style Authentication`
Add sequence diagrams 2016-10-11 21:02:04 +00:00
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
			`### Configuration`

			`To use authentication in Chronograf, both Github OAuth and JWT signature need to be configured.`

Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`#### Configuring JWT signature`

			`Set a [JWT](https://tools.ietf.org/html/rfc7519) signature to a random string. This is needed for all OAuth2 providers that you choose to configure. Keep this random string around!`

			You'll need it each time you start a chronograf server because it is used to verify user authorization. If you are running multiple chronograf servers in an HA configuration set the `TOKEN_SECRET` on each to allow users to stay logged in.

			```sh
			`export TOKEN_SECRET=supersupersecret`
			```

			`# Github`

Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00			`#### Creating Github OAuth Application`

			`To create a Github OAuth Application follow the [Register your app](https://developer.github.com/guides/basics-of-authentication/#registering-your-app) instructions.`
			`Essentially, you'll register your application [here](https://github.com/settings/applications/new)`

			The `Homepage URL` should be Chronograf's full server name and port. If you are running it locally for example, make it `http://localhost:8888`

Fix auth.md to be more clear. 2016-10-22 00:17:39 +00:00			The `Authorization callback URL` must be the location of the `Homepage URL` plus `/oauth/github/callback`. For example, if `Homepage URL` was
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00			`http://localhost:8888` then the `Authorization callback URL` should be `http://localhost:8888/oauth/github/callback`.

			Github will provide a `Client ID` and `Client Secret`. To register these values with chronograf set the following environment variables:

			* `GH_CLIENT_ID`
			* `GH_CLIENT_SECRET`

			`For example:`

			```sh
			`export GH_CLIENT_ID=b339dd4fddd95abec9aa`
			`export GH_CLIENT_SECRET=260041897d3252c146ece6b46ba39bc1e54416dc`
			```

Add Github organization restriction to authentication 2017-01-05 17:29:26 +00:00			`#### Optional Github Organizations`

			To require an organization membership for a user, set the `GH_ORGS` environment variables
			```sh
			`export GH_ORGS=biffs-gang`
			```

			`If the user is not a member, then the user will not be allowed access.`

			`To support multiple organizations use a comma delimted list like so:`

			```sh
			`export GH_ORGS=hill-valley-preservation-sociey,the-pinheads`
			```

Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`# Google`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`#### Creating Google OAuth Application`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`You will need to obtain a client ID and an application secret by following the steps under "Basic Steps" [here](https://developers.google.com/identity/protocols/OAuth2). Chronograf will also need to be publicly accessible via a fully qualified domain name so that Google properly redirects users back to the application.`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`This information should be set in the following ENVs:`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			* `GOOGLE_CLIENT_ID`
			* `GOOGLE_CLIENT_SECRET`
			* `PUBLIC_URL`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`Alternatively, this can also be set using the command line switches:`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			* `--google-client-id`
			* `--google-client-secret`
			* `--public-url`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`#### Optional Google Domains`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			Similar to Github's organization restriction, Google authentication can be restricted to permit access to Chronograf from only specific domains. These are configured using the `GOOGLE_DOMAINS` ENV or the `--google-domains` switch. Multiple domains are separated with a comma. For example, if we wanted to permit access only from biffspleasurepalace.com and savetheclocktower.com the ENV would be set as follows:
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			```sh
			`export GOOGLE_DOMAINS=biffspleasurepalance.com,savetheclocktower.com`
			```
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`# Heroku`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`#### Creating Heroku Application`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`To obtain a client ID and application secret for Heroku, you will need to follow the guide posted [here](https://devcenter.heroku.com/articles/oauth#register-client). Once your application has been created, those two values should be inserted into the following ENVs:`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			* `HEROKU_CLIENT_ID`
			* `HEROKU_SECRET`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			`The equivalent command line switches are:`
Add documentation about authorization and authentication 2016-10-20 01:29:06 +00:00
Update/Cleanup OAuth2 documentation Information on setting up Heroku and Google authentication has been added. Also, the information about the design has been updated and moved to the oauth2 package docs along with updated diagrams to match with developer expectations about where design-related documentation should be found. 2017-02-21 16:04:01 +00:00			* `--heroku-client-id`
			* `--heroku-secret`
Add organization restriction on Heroku provider This allows operators to permit access to Chronograf only to users belonging to a set of specific Heroku organizations. This is controlled using the HEROKU_ORGS env or the --heroku-organizations switch. 2017-02-21 18:04:17 +00:00
			`#### Optional Heroku Organizations`

			Like the other OAuth2 providers, access to Chronograf via Heroku can be restricted to members of specific Heroku organizations. This is controlled using the `HEROKU_ORGS` ENV or the `--heroku-organizations` switch and is comma-separated. If we wanted to permit access from the `hill-valley-preservation-society` orgization and `the-pinheads` organization, we would use the following ENV:

			```sh
			`export HEROKU_ORGS=hill-valley-preservation-sociey,the-pinheads`
			```