Hi leonardo, there is no need for the PF machine to be publicly reachable. But it should have a proper dns name / domain and valid certificates issued to that name (or at least certificates that the client, the laptop pc, can trust.)
If this is a use case with google-for-education domains, then you could use the LDAP authentication. now, if you dont care about the google usernames (meaning, any user with a google account, not just your school / company) then yes, the google-oauth path should work. I was using it in several deployments but stopped (and switched to the secure LDAP) because of the browser restrictions. so yes, the certificate is mandatory. It needs to be trusted by the browser, so given you're looking at using this with "guests", then yes, you would have to buy a domain or at least a certificate for a host in a domain already owned. In this case, the certificate would be for " pf.mycompanyname.com" or something like that cheers On Fri, May 20, 2022 at 12:00 PM <leonardo.i...@itsinformatica.it> wrote: > hello Diego and thanks for the reply. > > Leaving aside the discussion on mobile devices, and restricting the > scenario for simplicity to a laptop of a guest who is connected to a wifi > network and must authenticate on the Internet. > > Our client asks that the guest who launches the browser (eg Chrome) from > his laptop must come up with a captive portal where he is asked to enter > his Google credentials to authenticate and register his laptop and then be > able to surf the Internet. > > Now let's see if I understand correctly: > > the Packetfence machine implemented locally at the customer must be > reached from the internet using the url: https: // your_portal_hostname / > oauth2 / callback where is your_portal_hostname is a dns record that allows > you to reach the Packetfence machine itself from the Internet. > > So the customer must have a right internet domain? > > Also I understand that it must also have a valid https certificate, is > that so? > > > > *Da:* Diego Garcia del Rio via PacketFence-users < > packetfence-users@lists.sourceforge.net> > *Inviato:* giovedì 19 maggio 2022 21:36 > *A:* packetfence-users <packetfence-users@lists.sourceforge.net> > *Cc:* Diego Garcia del Rio <garc...@gmail.com>; supp...@inverse.ca > *Oggetto:* Re: [PacketFence-users] Google Oauth2 captive portal > > > > If you're trying this from a mobile phone (captive portal browser) then > yes, it will be blocked as google is blocking all embedded browsers and any > "not-full browsers". It means google authentication can't really be used > from mobile devices when accessed throguh the captive portal. > > > > also, your authorized redirect seems wrong. You need to provide a proper, > REAL HTTPS (with valid certificate) url / server name. NOT " > pf.packetfence.org/oauth2/callback" > > > > you need a proper domain name / proper server name. > > > > On Thu, May 19, 2022 at 10:40 AM leonardo.izzo--- via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > hi, could you please answer? Thanks > > > > > > > > *Da:* leonardo.i...@itsinformatica.it <leonardo.i...@itsinformatica.it> > *Inviato:* domenica 15 maggio 2022 15:39 > *A:* 'packetfence-users@lists.sourceforge.net' < > packetfence-users@lists.sourceforge.net>; 'luza...@akamai.com' < > luza...@akamai.com> > *Oggetto:* Google Oauth2 captive portal > > > > hi, i configured pf for a captive portal with OAuth2 using google. > > I followed the instructions in the guide on what to do on > http://code.google.com/apis/console: > > 1) I created a project > > 2) I went to "OAuth consent screen" and configured it \ I chose External > and then Create \ I gave a name and email, then I went on without entering > anything > > 3) I went to Credentials \ Create credentials \ I chose "OAuth client ID" > \ and then as application type "Web Application" and I gave the name pf > > 4) I went under "Authorized redirect URI" \ Add URI \ and I entered the > string https://pf.packetfence.org/oauth2/callback as in my Packetfence > console in Configuration \ System Configuration \ General Configuration I > have pf Domain = packetfence.org and Hostname = pf > > 5) I have saved the "client ID" and the "client secret" > > 6) I went to the OAuth consent screen \ modify App \ authorized domains > and entered: > > google.com, google.it, etc. > > 7) I went to OAuth Consent Screen \ Publish App > > > > I then created a Google-type external authentication source by entering > the data created in the previous point. > > I then created a connection profile containing this source. > > > > When I try to connect from a device, I get the following error: > > > > Authorization error > > Error 400: invalid_request > > You can't sign in to this app because it doesn't comply with Google's > OAuth 2.0 policy for keeping apps secure. > > > > You can let the app developer know that this app doesn't comply with one > or more Google validation rules. > > Find out more > > Request details > > The content in this section was provided by the app developer and has not > been reviewed or verified by Google. > > If you developed the app, make sure these request details comply with > Google's policies. > > redirect_uri: https: // <hostname> / oauth2 / callback > > > > Thanks > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
