hello Diego and thanks for the reply. Leaving aside the discussion on mobile devices, and restricting the scenario for simplicity to a laptop of a guest who is connected to a wifi network and must authenticate on the Internet.
Our client asks that the guest who launches the browser (eg Chrome) from his laptop must come up with a captive portal where he is asked to enter his Google credentials to authenticate and register his laptop and then be able to surf the Internet. Now let's see if I understand correctly: the Packetfence machine implemented locally at the customer must be reached from the internet using the url: https: // your_portal_hostname / oauth2 / callback where is your_portal_hostname is a dns record that allows you to reach the Packetfence machine itself from the Internet. So the customer must have a right internet domain? Also I understand that it must also have a valid https certificate, is that so? Da: Diego Garcia del Rio via PacketFence-users <packetfence-users@lists.sourceforge.net> Inviato: giovedì 19 maggio 2022 21:36 A: packetfence-users <packetfence-users@lists.sourceforge.net> Cc: Diego Garcia del Rio <garc...@gmail.com>; supp...@inverse.ca Oggetto: Re: [PacketFence-users] Google Oauth2 captive portal If you're trying this from a mobile phone (captive portal browser) then yes, it will be blocked as google is blocking all embedded browsers and any "not-full browsers". It means google authentication can't really be used from mobile devices when accessed throguh the captive portal. also, your authorized redirect seems wrong. You need to provide a proper, REAL HTTPS (with valid certificate) url / server name. NOT "pf.packetfence.org/oauth2/callback <http://pf.packetfence.org/oauth2/callback> " you need a proper domain name / proper server name. On Thu, May 19, 2022 at 10:40 AM leonardo.izzo--- via PacketFence-users <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> > wrote: hi, could you please answer? Thanks Da: leonardo.i...@itsinformatica.it <mailto:leonardo.i...@itsinformatica.it> <leonardo.i...@itsinformatica.it <mailto:leonardo.i...@itsinformatica.it> > Inviato: domenica 15 maggio 2022 15:39 A: 'packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> ' <packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> >; 'luza...@akamai.com <mailto:luza...@akamai.com> ' <luza...@akamai.com <mailto:luza...@akamai.com> > Oggetto: Google Oauth2 captive portal hi, i configured pf for a captive portal with OAuth2 using google. I followed the instructions in the guide on what to do on http://code.google.com/apis/console: 1) I created a project 2) I went to "OAuth consent screen" and configured it \ I chose External and then Create \ I gave a name and email, then I went on without entering anything 3) I went to Credentials \ Create credentials \ I chose "OAuth client ID" \ and then as application type "Web Application" and I gave the name pf 4) I went under "Authorized redirect URI" \ Add URI \ and I entered the string https://pf.packetfence.org/oauth2/callback as in my Packetfence console in Configuration \ System Configuration \ General Configuration I have pf Domain = packetfence.org <http://packetfence.org> and Hostname = pf 5) I have saved the "client ID" and the "client secret" 6) I went to the OAuth consent screen \ modify App \ authorized domains and entered: google.com <http://google.com> , google.it <http://google.it> , etc. 7) I went to OAuth Consent Screen \ Publish App I then created a Google-type external authentication source by entering the data created in the previous point. I then created a connection profile containing this source. When I try to connect from a device, I get the following error: Authorization error Error 400: invalid_request You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure. You can let the app developer know that this app doesn't comply with one or more Google validation rules. Find out more Request details The content in this section was provided by the app developer and has not been reviewed or verified by Google. If you developed the app, make sure these request details comply with Google's policies. redirect_uri: https: // <hostname> / oauth2 / callback Thanks _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net <mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
