https://gitlab.com/openconnect/ocserv/-/merge_requests/128
I believe this feature is now at the point where it makes sense to start the
process of reviewing this merge request. The change includes the new bearer
auth module as well as a set of tests to verify correct handling of tokens.
Note:
This change is off by default and until 'configure --enable-bearer-auth' this
should be entirely a no-op.
Goals for this change at a high level:
Permit AuthN/AuthZ decisions to be made based on the claims presented by a
client during connection establishment. Claims are in embedded in a signed
OpenID Connect token and sent as Bearer tokens in HTTP headers. Administrator
can configure what claims are accepted to control the AuthZ behavior.
This change was tested using Azure's OpenID Connect provider, but should
function with Google and other OIDC providers that correctly follow the spec.
To configure bearer auth, add the following to the .config file:
auth = "bearer[config=<path to config file>]"
Config file is JSON with the following format:
{
"openid_configuration_url": "< uri of openid-configuration doc>",
"user_name_claim": "preferred_username",
"required_claims": {
"aud": "SomeAudience",
"iss": "SomeIssuer"
}
}
Example openid-configuration doc URIs are:
https://accounts.google.com/.well-known/openid-configuration
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
Required claims controls what claims must be present in a token to permit
access.
See your OpenID Connect provider for details on claims and OpenID Connect
metadata document URL.
Future work:
TLS channel binding of the token.
Support for multi-value claims (i.e. group membership).
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
