Central authentication service
Status: Production
Tink's login-service
is a reverse proxy made to authenticate users within the organization
in a secure manner. To authenticate the use of an U2F security device is required.
When authenticated, the user is provided with a token valid for a configurable amount of time
granting the user access to the backend service for that duration.
Central token revocation and multiple security domains are supported.
Start by installing login-service
and nginx
. For login-service
to start you need to
fill in a number of files in /etc/login-service.yaml
. The configuration for nginx can
be found under etc/nginx/
.
In order to use Google OAuth to authenticate your Google Apps domain you will need to set up OAuth credentials. See https://developers.google.com/identity/protocols/OAuth2.
There are quite a few fields in the nginx configuration and in login-service.yaml
that you
need to set. When finished try to access "x.test.com". You should be asked to sign in
(if you're not already signed in) to your Google account and then to register a new U2F key.
When registered you will be asked to authenticate the access to the specific security domain.
You can then logout (login.test.com/logout) and then access "x.test.com" again to try the normal flow when the user is registered.