Multi-provider setup questions

[vstath]

Hello,

I am playing with VP for a couple days now (setup is openresty, checking /validate on my own) and I would like to verify some assumptions. I understand there's no IRC channel or similar to ask so I hope this is ok.

My setup is working fine with 1 provider (or multiple if I manually mod the nginx setup - so THANK YOU) and now I'm playing around to setup multiple providers. I'm working based on my assumptions :-)

In essence, I am trying to understand how VP works in a multi-provider setup. I couldn't find much info, apart from an issue response mentioning one should run multiple VP in different ports.

My current setup is a google config at port X and a github config at port Z (2 separate instances of VP). Each has their own hostname + SSL (like google.domain.com and github.domain.com) for each VP instance via nginx proxy. On my application hostname app.domain.com, I capture 401 on /validate manually and will redirect user to a selection page (ToDo) that takes them to the provider of their choice. I'm manually checking /validate (I have one nginx running so my application on the same instance, on different server {} blocks for app stuff and for VP instances). I am not using nginx auth_request as I want more flexibility + combine it with my own sessioning if user prefers local user/pass. Again, all works nicely and smooth so far :-)

Questions

1. Is the above a recommended setup? If not, can you provide basic guidelines on how to properly do multi-provider setup?

2. Is it safe to assume that /validate works no matter the provider setup? In other words, if on port 9090 I switch from one configuration to another, the "google VP" pre-existing tokens will be validated by "github VP" until expiry (both VP share same secret)? What I'm trying to do is run the /validate per token and not per provider -> this way I could even do load balancing on /validate if I need to or someone's trying to abuse my system.

2a) Is there a recommended setup specifically for the /validate? In my mind, it appears to be completely detached from the provider setup so perhaps a dummy provider setup could also be used just for /validate? Any thoughts? I'm not a Go guy and I haven't read the source (not a developer but a simple user)

3. I tried to use a single hostname but /auth is a soft redirect which complicates things (or I'm missing something). Am I correct to assume that, with the current codebase, I cannot do nginx rewrites on /google/auth -> proxy at 127.0.0.1:9090/auth because it will result in VP doing a redirect (from /auth?state=<xyz> to /auth/<xyz>), expecting the URL to actually be /auth?

I hope those questions are ok to ask here. If not, please direct me accordingly. I am asking for generic docs, so my nginx setup is not relevant to add.

[bnfinet]

Hello there @vstath

I understand there's no IRC channel or similar to ask

There is an IRC channel. As per the README we hang out in #vouch on freenode. Feel free to ask questions there, or here.

can you provide basic guidelines on how to properly do multi-provider setup

VP is pretty small memory wise and generally efficient. Running multiple concurrent VP instances is the way to handle multi. VP does not support multiple providers.

if I switch from one configuration to another, if both VP share same secret, will it pass /validate?

yes, even if they use different providers

2a) Is there a recommended setup specifically for the /validate? In my mind, it appears to be completely detached from the provider setup so perhaps a dummy provider setup could also be used just for /validate? Any thoughts? I'm not a Go guy and I haven't read the source (not a developer but a simple user)

The recommended setup is documented in the README. Perhaps you could expand and clarify your question a bit.

I tried to use a single hostname but /auth is a soft redirect

yes that's a know issue, see #373

I hope those questions are ok to ask here

yeah that's fine. Happy Vouching!

[bnfinet]

@vstath I'm going to close this, but feel free to chime in if you need more help