Documentation
¶
Overview ¶
OIDC authentication for the Epoch web UI and control plane API.
Protected: / (UI), /api/* (control plane) Unprotected: /v2/* (OCI registry — machine clients), /healthz
Flow:
- Browser hits protected route → no session cookie → redirect /login
- /login → redirect to the configured authorize endpoint
- /login/callback → exchange code for token → set session cookie
- /logout → clear cookie → redirect to provider logout when configured
Config via environment variables:
SSO_PROVIDER=google|oidc For generic OIDC: SSO_CLIENT_ID, SSO_CLIENT_SECRET, SSO_REDIRECT_URI SSO_AUTHORIZE_URL, SSO_TOKEN_URL, SSO_USERINFO_URL, SSO_LOGOUT_URL For Google: GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, GOOGLE_OAUTH_REDIRECT_URI GOOGLE_OAUTH_HOSTED_DOMAIN (optional) SSO_COOKIE_SECRET (32-byte hex key for HMAC signing; auto-generated if empty)
Package server implements the Epoch HTTP server.
It serves two APIs:
- /v2/ — OCI Distribution-shaped push/pull protocol (manifests + blob streaming via object storage)
- /api/ — Control plane API backed by MySQL
Static frontend files are embedded and served at /.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type SSOConfig ¶
type SSOConfig struct {
Provider string
ClientID string
ClientSecret string
RedirectURI string
AuthorizeURL string
TokenURL string
UserInfoURL string
LogoutURL string
Scopes string
HostedDomain string
CookieSecret []byte
}
SSOConfig holds optional UI auth settings loaded from the environment.
func LoadSSOConfig ¶
func LoadSSOConfig() *SSOConfig
LoadSSOConfig reads optional UI auth configuration from the environment.
Source Files
Click to show internal directories.
Click to hide internal directories.