Your Quickstart does not even work

[gitricko]

Page:https://github.com/pomerium/documentation/blob/main/content/docs/install/quickstart.mdx

What's incorrect or missing

Follow it and uses the simple github IDP

What's the resolution?

Better documentation. The route does not make sense. Either that or we need instruction for github call back URL.. where it should throw the UI to ?

I think authelia does a better job on configuration.

[alexfornuto]

Hi @gitricko. I'd like to help you out here, but we'd need more details on where you ran into problems. Please note that the specific instructions for each IdP Pomerium supports are listed under Identity Providers. If you're using GitHub, see https://www.pomerium.com/docs/identity-providers/github

[gitricko]

Thanks, and yes it turns out i missed our configuration in github idp.

After the redirect came back to verify, i got this error.

Look at this closely, i notice that my API of https://authenticate.pomerium.uncletechno.com/.well-known/pomerium/jwks.json
returns

{"keys":null}

Not is sure what is wrong now..

I can comment more how to improve the docu later

[gitricko]

Just made alittle more progress... now i get this error after reading this:
https://www.pomerium.com/docs/topics/certificates (did not know i need to use the fullchain.cer/pem

Still i get this error:

Identity verification failed
We tried to verify the incoming user, but failed with the following error: couldn't get json web key: empty JSON Web Key Set payload

[gitricko]

and finally found the reason why ...

from this issue: pomerium/pomerium#2300
and this docu: https://www.pomerium.com/docs/reference/signing-key

The doc of quickstart does not mention ANYTHING about signing_key and signing_key_algorithm

After putting these 2 line, it worked

signing_key: xxxx
signing_key_algorithm: ES256

The quick start guy has lots of improvements needed.

1. Why dont you assume and use one IDP as your example. I feel github IDP will be good because pomerium is already in github and most user looking at the code has very high percentage that they have github users
2. Be more prescriptive on the tutorial... treat us the user as not knowing anything about ssl or even docker.. and be detail step-by step.. or just create a github repo for people to pull the code and try.
3. Network sequence diagram to show how it work.

[alexfornuto]

Sorry for the delayed response.

Regarding the numerical "improvements needed":

1. GitHub would not be a good choice for a default IdP because we're targeting business, and GitHub is not a popular IdP for business use. The first line of the Prerequisites section says you already need a configured IdP and links to the list so you can choose the appropriate documentation.
2. If you don't know anything about SSL, you're probably not in a great position to be using Pomerium. I've always strived to make any docs I write be as user-friendly as possible, but certain prerequisite knowledge has to be assumed at some point, as long as it is specified. And it is, in third bullet under Prerequisites, which also links to our guide on TLS.
   Regarding Docker, if you're not comfortable with Docker you should use the Binary method to test the product. Or the Kubernetes method, if that's something you're already familiar with.
3. You can find network diagrams here and here

As for signing_key and signing_key_algorithm, those should not be required with v17 or higher and without also using Pomerium Enterprise. We'll look into it further.