e265ca4d79
* Add support for OAuth2 scope parameter * Add description for OAuth2 scope parameter * Update docs with OAuth2 scope parameter * Make request params None if no scope
34 lines
1.3 KiB
ReStructuredText
34 lines
1.3 KiB
ReStructuredText
==============
|
|
Access Control
|
|
==============
|
|
|
|
Kube Ops View supports protecting the UI via the OAuth Authorization Code Grant flow.
|
|
|
|
Relevant configuration settings (environment variables) for OAuth are:
|
|
|
|
``APP_URL``
|
|
The app's own URL, e.g. https://kube-ops-view.example.org. This is used to construct the OAuth 2 redirect URI (callback URL).
|
|
``AUTHORIZE_URL``
|
|
OAuth 2 authorization endpoint URL, e.g. https://oauth2.example.org/authorize
|
|
``ACCESS_TOKEN_URL``
|
|
Token endpoint URL for the OAuth 2 Authorization Code Grant flow, e.g. https://oauth2.example.org/token
|
|
``SCOPE``
|
|
OAuth 2 scopes provide a way to limit the amount of access that is granted to an access token, e.g. https://oauth2.example.org/authorize/readonly
|
|
``CREDENTIALS_DIR``
|
|
Folder path to load client credentials from. The folder needs to contain two files: ``authcode-client-id`` and ``authcode-client-secret``.
|
|
|
|
|
|
TODO: how to configure
|
|
|
|
Screen Tokens
|
|
=============
|
|
|
|
Screen tokens allow non-human access to the UI to support permanent dashboards on TV screens.
|
|
|
|
On your local machine: authenticate via OAuth redirect flow and go to /screen-tokens to create a new token.
|
|
Write down the screen token on a piece of paper.
|
|
|
|
Go to the TV screen and enter /screen/$TOKEN in the location bar.
|
|
|
|
TODO: how do screen tokens work?
|