-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add alternative ways to generate cookie secrets to docs #1108
Conversation
docs/docs/configuration/overview.md
Outdated
{label: 'OpenSSL', value: 'openssl'}, | ||
]}> | ||
<TabItem value="python"><code>python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'</code></TabItem> | ||
<TabItem value="bash"><code>cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | base64</code></TabItem> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do these two options result in the urlsafe variant of Base64 that our secret processor expects?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, will need to take a look 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have verified that all of the examples given generated valid secrets
docs/docs/configuration/overview.md
Outdated
{label: 'Bash', value: 'bash'}, | ||
{label: 'OpenSSL', value: 'openssl'}, | ||
]}> | ||
<TabItem value="python"><code>python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'</code></TabItem> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Good call bumping this to 32 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A hack I've also done in the past for Terraform is this:
# Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret
resource "random_password" "cookie_secret" {
length = 32
override_special = "-_"
}
32 characters that look like Base64 will opportunistically decode to 24 bytes, without having to worry about padding on the end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooh a terraform example would be cool, I'll add that
Unfortunately, I think this is likely the Windows users (Mac & Linux come with python) -- and they probably won't have |
I'll try and come up with a powershell variant as well |
A potential PowerShell solution may be to use the # Add System.Web assembly to session, just in case
Add-Type -AssemblyName System.Web
# Generate password (length, minimum number of special characters)
[System.Web.Security.Membership]::GeneratePassword(32,4)
# Full example of websafe Base64 encoded result, creates 32 character string
[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(24,4))).Replace("+","-").Replace("/","_") This would probably be a fairly universal Windows solution... it'd be rare to find a Windows install without any .NET Framework already installed, I think? (Multiple edits because I'm obsessive, adds detail and fully fleshed example of generating compliant cookie secret string) |
FYI: bash is usually available on Windows developers machines, as it comes with git for windows ( https://superuser.com/questions/1053633/what-is-git-bash-for-windows-anyway) |
I've tested out all of the examples now, and updated to use proper code blocks for the multiline examples I think this is ready to go |
<TabItem value="bash"> | ||
|
||
```shell | ||
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | base64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my ARM Mac (not sure if different from older Darwin/x86_64 Macs), this one didn't work:
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | base64
tr: Illegal byte sequence
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, not sure why it would do that. I'll see if I can reproduce on my Pi, it's about the only arm I have access to
@qkflies , thanks for PowerShell example. I suggest to comment out [System.Web.Security.Membership]::GeneratePassword(32,4) line. |
The powershell version included for the docs only generates one example so I think we are good once this merges I need to verify why Nick was having issues on his Arm system with one of the scripts and give this a rebase, otherwise I don't think there's anything else we need to do here 🤔 |
Rebased to fix changelog entry, no other changes |
@JoelSpeed , Doc for v7.0 has multiple languages https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/versioned_docs/version-7.0.x/configuration/overview.md |
No I don't think that was intentional, we should fix that |
Description
Add bash and openssl alternatives to python to allow users to generate cookie secrets if they do not have python available.
I don't have a windows machine handy right now (or much knowledge of powershell) but would be good to add a powershell example too.
If we are happy with the content, I will copy this to the other docs versions too
Motivation and Context
Not everyone will have Python, we can try and help them out with some alternative examples.
How Has This Been Tested?
yarn start
in the docs folder to check it all compiles and renders correctlyChecklist: