This allows operators to permit access to Chronograf only to users belonging
to a set of specific Heroku organizations. This is controlled using the
HEROKU_ORGS env or the --heroku-organizations switch.
Information on setting up Heroku and Google authentication has been
added. Also, the information about the design has been updated and moved
to the oauth2 package docs along with updated diagrams to match with
developer expectations about where design-related documentation should
be found.
JWTMux was a disingenuous name because while JWTs are a very good choice
for a cookie encoding, they were not strictly required for use with this
mux. To better indicate the responsibilities of this mux, it's been
renamed "CookieMux," since its responsibilities end with persisting the
oauth2.Authenticator's encoded state in the browser. It is up to the
oauth2.Authenticator to choose the encoding.
This adds an Oauth2 Provider for authenticating users against Heroku's
API. In contrast to other Providers, a maintained client library for
interacting with the Heroku API was not available, so direct HTTP calls
are made instead. This follows with their documentation posted here:
https://devcenter.heroku.com/articles/oauth2-heroku-go
Created an oauth2 package which encapsulates all oauth2 providers,
utility functions, types, and interfaces. Previously some methods of the
Github provider were used as http.HandlerFuncs. These have now been
pulled into a concrete type called a JWTMux to implement other Oauth2
providers.
JWTMux has all of the functionality required to take a token from any
provider and store it as a JWT in a browser, and that is the extent of
its responsibilities. It implements the oauth2.Mux interface which would
potentially allow other strategies of oauth2 credential storage.
Chris Goller
Tim Raymond