Add alternative ways to generate cookie secrets to docs

[JoelSpeed]

Description

Add bash and openssl alternatives to python to allow users to generate cookie secrets if they do not have python available.
I don't have a windows machine handy right now (or much knowledge of powershell) but would be good to add a powershell example too.

If we are happy with the content, I will copy this to the other docs versions too

Motivation and Context

Not everyone will have Python, we can try and help them out with some alternative examples.

How Has This Been Tested?

yarn start in the docs folder to check it all compiles and renders correctly

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[NickMeves]

Do these two options result in the urlsafe variant of Base64 that our secret processor expects?

[JoelSpeed]

Good question, will need to take a look 🤔

[JoelSpeed]

Have verified that all of the examples given generated valid secrets

[NickMeves]

Nice! Good call bumping this to 32 👍

[NickMeves]

A hack I've also done in the past for Terraform is this:

# Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret
resource "random_password" "cookie_secret" {
  length           = 32
  override_special = "-_"
}

32 characters that look like Base64 will opportunistically decode to 24 bytes, without having to worry about padding on the end.

[JoelSpeed]

Ooh a terraform example would be cool, I'll add that

[NickMeves]

Not everyone will have Python, we can try and help them out with some alternative examples.

Unfortunately, I think this is likely the Windows users (Mac & Linux come with python) -- and they probably won't have bash or openssl readily available either 😅

[JoelSpeed]

Unfortunately, I think this is likely the Windows users (Mac & Linux come with python) -- and they probably won't have bash or openssl readily available either sweat_smile

I'll try and come up with a powershell variant as well

[qkflies]

A potential PowerShell solution may be to use the System.Web.Security.Membership class of .NET (h/t woshub.com). This works with the standard user (no admin privileges). I tested successfully in version 5.1 of PowerShell, which I think is the version shipped standard in Windows 10 installs, but not in PowerShell Core versions (e.g. PowerShell 6.x or 7.x):

# Add System.Web assembly to session, just in case
Add-Type -AssemblyName System.Web
# Generate password (length, minimum number of special characters)
[System.Web.Security.Membership]::GeneratePassword(32,4)

# Full example of websafe Base64 encoded result, creates 32 character string
[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(24,4))).Replace("+","-").Replace("/","_")

This would probably be a fairly universal Windows solution... it'd be rare to find a Windows install without any .NET Framework already installed, I think?

(Multiple edits because I'm obsessive, adds detail and fully fleshed example of generating compliant cookie secret string)

[MNF]

FYI: bash is usually available on Windows developers machines, as it comes with git for windows ( https://superuser.com/questions/1053633/what-is-git-bash-for-windows-anyway)

[JoelSpeed]

I've tested out all of the examples now, and updated to use proper code blocks for the multiline examples

I think this is ready to go

[NickMeves]

From my ARM Mac (not sure if different from older Darwin/x86_64 Macs), this one didn't work:

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | base64
tr: Illegal byte sequence

[JoelSpeed]

Interesting, not sure why it would do that. I'll see if I can reproduce on my Pi, it's about the only arm I have access to

[michael-freidgeim-webjet]

@qkflies , thanks for PowerShell example. I suggest to comment out [System.Web.Security.Membership]::GeneratePassword(32,4) line.
I've just copied your whole snippet and was confused why I got 2 strings, when I want to get only one.
The snippet can be saved as e.g. GenerateCookieSecret.ps1 somewhere in contrib folder.

[JoelSpeed]

The powershell version included for the docs only generates one example so I think we are good once this merges

I need to verify why Nick was having issues on his Arm system with one of the scripts and give this a rebase, otherwise I don't think there's anything else we need to do here 🤔

[JoelSpeed]

Rebased to fix changelog entry, no other changes

[michael-freidgeim-webjet]

@JoelSpeed , Doc for v7.0 has multiple languages https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/versioned_docs/version-7.0.x/configuration/overview.md
but 7.1 reverted to python only https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/versioned_docs/version-7.1.x/configuration/overview.md
Is it intentional?

[JoelSpeed]

No I don't think that was intentional, we should fix that