Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting allowAllUsers: true without forcing cookie domain #474

Open
SimonLemaireT2 opened this issue May 11, 2022 · 1 comment
Open

Allow setting allowAllUsers: true without forcing cookie domain #474

SimonLemaireT2 opened this issue May 11, 2022 · 1 comment
Labels
enhancement help wanted

Comments

@SimonLemaireT2
Copy link

SimonLemaireT2 commented May 11, 2022
edited

Describe the problem
We (Take Two) have hundreds of domains users authenticate to Okta with. Including all of these under Domains makes the cookie far too large, so right now we're forced to only allow a subset of users to authenticate with Vouch. Since we're only protecting an app that utilizes three domains, we really need to be able to set allowAllUsers: true while still having the cookie domain set via the callback url. A way to set multiple possible values for vouch.cookie.domain could also be a solution.

Expected behavior
Set allowAllUsers: true and provide a list of possible domains to vouch.cookie.domain instead of a single domain.

Additional context
We might be the largest org to utilize Vouch so far so we'd really like to see Vouch capable of operating at this scale. I'm sure this issue might come up for other larger orgs as well. Let me know your thoughts.

I understand running a separate vouch instance for each domain in the app would also be a solution. We'd like to avoid doing that if possible as it would create a lot of overhead when adding new domains to the app in question.
@bnfinet
Copy link
Member

bnfinet commented May 18, 2022

@SimonLemaireT2 yes this it definitely a limitation of the configuration system and VP

When multiple vouch.domains are set there's a lookup that occurs on the oauth.callback_urls list to correlate the correct callback to the requested domain (as represented in the request Host header). This ensures that the cookie is being set into the proper domain.

There's no such lookup and matching for vouch.cookie.domain. It's used as a kind of override to force a cookie domain.

In my ideal world I'd prefer to get rid of vouch.cookie.domain and just use vouch.domains and oauth.callback_urls. If vouch.allowAllUsers: true is set it would just allow any authenticated user to be issued a VP token (cookie).

There was some problems early on with how allowAllUsers and vouch.domains were interacting that was fixed easily by setting vouch.cookie.domain. My sense is that it kind of just became cannon and then got coded in with a check during startup and configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnfinet @SimonLemaireT2