Re: [PacketFence-users] OAuth2 Facebook/Google

[Diego Lopes da Cruz via PacketFence-users]

Fabrice,
Thanks, works..
I needed to add the passthrought lines in the file
/usr/local/pf/conf/pf.conf.defaults

Regards


2017-10-25 15:40 GMT-02:00 Fabrice Durand :

> You have to allow accounts.google.com in the passthrough too.
>
> Do a pfcmd configreload hard and a pfcmd service pfdns restart to force
> the update of the passthrough.
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-25 à 13:34, Diego Lopes da Cruz a écrit :
>
> Sorry,
> I forgot the attachment...
>
>
>
> 2017-10-25 15:18 GMT-02:00 Diego Lopes da Cruz :
>
>> Fabrice,
>> *"you will need to remove facebook from the dns_filters.conf.default in
>> order to fix the fqdn graph.facebook.com ."*
>> *OK, works, thanks!*
>> *"Also the passthroughs for the OAuth sources are in the OAuth config
>> itself (pf side)*."
>> *OK, I found!*
>>
>> *I am having HSTS message from the browser when authenticating with
>> google (see attachment).*
>>
>> *Do I need to generate or install a certificate? *
>> *Can you solve this?*
>> *Thank you!*
>>
>>
>>
>> 2017-10-25 14:37 GMT-02:00 Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net>:
>>
>>> Hello Diego,
>>>
>>> you will need to remove facebook from the dns_filters.conf.default in
>>> order to fix the fqdn graph.facebook.com.
>>>
>>> Also the passthroughs for the OAuth sources are in the OAuth config
>>> itself (pf side).
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>>
>>>
>>> Le 2017-10-25 à 12:29, Diego Lopes da Cruz via PacketFence-users a
>>> écrit :
>>>
>>> Hi all,
>>> I'm testing the packetfence ZEN (Pecketfence-7.3.0-2 version) and I'm
>>> trying to use authentication via facebook or google. I have done the
>>> configuration of the API ID and secret of both, but when this in the
>>> authentication screen, the client can not reach the screen of facebook and
>>> google. On the client, the graph.facebook.com domain is being resolved
>>> to 127.0.0.1 and account.google.com for the packetfence LAN IP.
>>> I've been searching the forums and seen that I should put * .
>>> facebook.com and * .google.com domains in "accepted or freed domains"
>>> configuration.
>>> Where is this setting?
>>>
>>> thanks
>>> --
>>> Diego
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> ___
>>> PacketFence-users mailing 
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <+1%20514-447-4918> 
>>> (x135) ::  www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://packetfence.org)
>>>
>>>
>>> 
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> --
>> Diego
>>
>
>
>
> --
> Diego Lopes da Cruz
> 48-9 9609-9931 (TIM) Whatsapp
> 48-9 8489-1060 (OI)
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <+1%20514-447-4918> 
> (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>


-- 
Diego Lopes da Cruz
48-9 9609-9931 (TIM) Whatsapp
48-9 8489-1060 (OI)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] OAuth2 Facebook/Google

[Diego Lopes da Cruz via PacketFence-users]

Sorry,
I forgot the attachment...



2017-10-25 15:18 GMT-02:00 Diego Lopes da Cruz :

> Fabrice,
> *"you will need to remove facebook from the dns_filters.conf.default in
> order to fix the fqdn graph.facebook.com ."*
> *OK, works, thanks!*
> *"Also the passthroughs for the OAuth sources are in the OAuth config
> itself (pf side)*."
> *OK, I found!*
>
> *I am having HSTS message from the browser when authenticating with google
> (see attachment).*
>
> *Do I need to generate or install a certificate?*
> *Can you solve this?*
> *Thank you!*
>
>
>
> 2017-10-25 14:37 GMT-02:00 Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net>:
>
>> Hello Diego,
>>
>> you will need to remove facebook from the dns_filters.conf.default in
>> order to fix the fqdn graph.facebook.com.
>>
>> Also the passthroughs for the OAuth sources are in the OAuth config
>> itself (pf side).
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>> Le 2017-10-25 à 12:29, Diego Lopes da Cruz via PacketFence-users a écrit :
>>
>> Hi all,
>> I'm testing the packetfence ZEN (Pecketfence-7.3.0-2 version) and I'm
>> trying to use authentication via facebook or google. I have done the
>> configuration of the API ID and secret of both, but when this in the
>> authentication screen, the client can not reach the screen of facebook and
>> google. On the client, the graph.facebook.com domain is being resolved
>> to 127.0.0.1 and account.google.com for the packetfence LAN IP.
>> I've been searching the forums and seen that I should put * .facebook.com
>> and * .google.com domains in "accepted or freed domains" configuration.
>> Where is this setting?
>>
>> thanks
>> --
>> Diego
>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> PacketFence-users mailing 
>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <+1%20514-447-4918> 
>> (x135) ::  www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Diego
>



-- 
Diego Lopes da Cruz
48-9 9609-9931 (TIM) Whatsapp
48-9 8489-1060 (OI)
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] OAuth2 Facebook/Google

[Fabrice Durand via PacketFence-users]

You have to allow accounts.google.com in the passthrough too.

Do a pfcmd configreload hard and a pfcmd service pfdns restart to force
the update of the passthrough.

Regards

Fabrice



Le 2017-10-25 à 13:34, Diego Lopes da Cruz a écrit :
> Sorry,
> I forgot the attachment...
>
>
>
> 2017-10-25 15:18 GMT-02:00 Diego Lopes da Cruz  >:
>
> Fabrice,
> /"you will need to remove facebook from the
> dns_filters.conf.default in order to fix the
> fqdn graph.facebook.com ."/
> *OK, works, thanks!*
> /"Also the passthroughs for the OAuth sources are in the OAuth
> config itself (pf side)/."*
> *
> *OK, I found!*
> *
> *
> *I am having HSTS message from the browser when authenticating
> with google (see attachment).*
> *Do I need to generate or install a certificate?
> *
> *Can you solve this?*
> *Thank you!*
> *
> *
> *
> *
>
> 2017-10-25 14:37 GMT-02:00 Fabrice Durand via PacketFence-users
>  >:
>
> Hello Diego,
>
> you will need to remove facebook from the
> dns_filters.conf.default in order to fix the fqdn
> graph.facebook.com .
>
> Also the passthroughs for the OAuth sources are in the OAuth
> config itself (pf side).
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-25 à 12:29, Diego Lopes da Cruz via
> PacketFence-users a écrit :
>> Hi all,
>> I'm testing the packetfence ZEN (Pecketfence-7.3.0-2 version)
>> and I'm trying to use authentication via facebook or google.
>> I have done the configuration of the API ID and secret of
>> both, but when this in the authentication screen, the client
>> can not reach the screen of facebook and google. On the
>> client, the graph.facebook.com 
>> domain is being resolved to 127.0.0.1 and account.google.com
>>  for the packetfence LAN IP.
>> I've been searching the forums and seen that I should put *
>> .facebook.com  and * .google.com
>>  domains in "accepted or freed domains"
>> configuration.
>> Where is this setting?
>>
>> thanks
>> -- 
>> Diego 
>>
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> 
>
> -- 
> Fabrice Durand
> fdur...@inverse.ca  ::  +1.514.447.4918 
>  (x135) ::  www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and 
> PacketFence (http://packetfence.org) 
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> 
>
>
>
>
> -- 
> Diego
>
>
>
>
> -- 
> Diego Lopes da Cruz
> 48-9 9609-9931 (TIM) Whatsapp
> 48-9 8489-1060 (OI)

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] OAuth2 Facebook/Google

[Diego Lopes da Cruz via PacketFence-users]

Fabrice,
*"you will need to remove facebook from the dns_filters.conf.default in
order to fix the fqdn graph.facebook.com ."*
*OK, works, thanks!*
*"Also the passthroughs for the OAuth sources are in the OAuth config
itself (pf side)*."
*OK, I found!*

*I am having HSTS message from the browser when authenticating with google
(see attachment).*

*Do I need to generate or install a certificate?*
*Can you solve this?*
*Thank you!*



2017-10-25 14:37 GMT-02:00 Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net>:

> Hello Diego,
>
> you will need to remove facebook from the dns_filters.conf.default in
> order to fix the fqdn graph.facebook.com.
>
> Also the passthroughs for the OAuth sources are in the OAuth config itself
> (pf side).
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-10-25 à 12:29, Diego Lopes da Cruz via PacketFence-users a écrit :
>
> Hi all,
> I'm testing the packetfence ZEN (Pecketfence-7.3.0-2 version) and I'm
> trying to use authentication via facebook or google. I have done the
> configuration of the API ID and secret of both, but when this in the
> authentication screen, the client can not reach the screen of facebook and
> google. On the client, the graph.facebook.com domain is being resolved to
> 127.0.0.1 and account.google.com for the packetfence LAN IP.
> I've been searching the forums and seen that I should put * .facebook.com
> and * .google.com domains in "accepted or freed domains" configuration.
> Where is this setting?
>
> thanks
> --
> Diego
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 <+1%20514-447-4918> 
> (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>


-- 
Diego
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] OAuth2 Facebook/Google

[Fabrice Durand via PacketFence-users]

Hello Diego,

you will need to remove facebook from the dns_filters.conf.default in
order to fix the fqdn graph.facebook.com.

Also the passthroughs for the OAuth sources are in the OAuth config
itself (pf side).

Regards

Fabrice



Le 2017-10-25 à 12:29, Diego Lopes da Cruz via PacketFence-users a écrit :
> Hi all,
> I'm testing the packetfence ZEN (Pecketfence-7.3.0-2 version) and I'm
> trying to use authentication via facebook or google. I have done the
> configuration of the API ID and secret of both, but when this in the
> authentication screen, the client can not reach the screen of facebook
> and google. On the client, the graph.facebook.com
>  domain is being resolved to 127.0.0.1 and
> account.google.com  for the packetfence LAN
> IP.
> I've been searching the forums and seen that I should put *
> .facebook.com  and * .google.com
>  domains in "accepted or freed domains" configuration.
> Where is this setting?
>
> thanks
> -- 
> Diego 
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] OAuth2 Facebook/Google

[Diego Lopes da Cruz via PacketFence-users]

Hi all,
I'm testing the packetfence ZEN (Pecketfence-7.3.0-2 version) and I'm
trying to use authentication via facebook or google. I have done the
configuration of the API ID and secret of both, but when this in the
authentication screen, the client can not reach the screen of facebook and
google. On the client, the graph.facebook.com domain is being resolved to
127.0.0.1 and account.google.com for the packetfence LAN IP.
I've been searching the forums and seen that I should put * .facebook.com
and * .google.com domains in "accepted or freed domains" configuration.
Where is this setting?

thanks
-- 
Diego
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] oauth2

[mj]

On 05/01/2017 09:30 PM, Antoine Amacher wrote:
> We could develop it if OpenID is something used a lot, and if there is a
> common interest into it.

So...list...

Anyone else here who would like to see a generic OpenID Connect auth 
source in packetfence?

I'd be wiling to sponsor with an inverse support point, if we could 
gather some more, perhaps that could help too.

Unless I am the only one here, liking OpenID Connect so much more than 
SAML2?

MJ

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] oauth2

[Antoine Amacher]

MJ,

For the source, I'll advise you to take the twitter one as an example 
which is simple. If you need help to develop it, you can contact us at 
supp...@inverse.ca.

We could develop it if OpenID is something used a lot, and if there is a 
common interest into it.

Thanks


On 05/01/2017 03:15 PM, lists wrote:
> Hi Antoine,
>
> Thanks for your reply, also on this OpenID Connect subject.
>
> There is a small wordpress addon that does exactly that:
> https://github.com/daggerhart/openid-connect-generic
>
> The only things you needed to configure it, are your own OpenID Connect
> server specifics, such as issuer, authorization_endpoint,
> token_endpoint, etc, etc.
>
> And those are usually in the docs of whatever product you like.
>
> Using that plugin, it was actually very easy to configure wordpress
> against the keycloak openid connect. (in fact: MUCH easier than SAML!)
>
> But I will try if I can concoct a keycloak-specific new source myself,
> as we have sponsored quite some projects lately, and our funding is not
> endless... ;-)
>
> MJ
>
> On 1-5-2017 20:26, Antoine Amacher wrote:
>> Hello MJ,
>>
>> We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API,
>> parameters to authorize, get the token are different, sometimes it
>> require a scope, sometimes a token parameter, sometimes none.
>>
>> Create a new OAuth source is not too complicated if we have a test
>> account and adequate documentation, but will require a bit of code. I do
>> like the idea of generic, but I am not sure it will be that generic
>> because of arguments stated earlier.
>>
>> The best option here seems to develop a new source for Keycloak OpenID,
>> unless we rework the way how OAuth2 sources are coded.
>>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] oauth2

[Antoine Amacher]

Hello MJ,

We do not have a 'generic' OAuth2 source, as each OAuth2 has is own API, 
parameters to authorize, get the token are different, sometimes it 
require a scope, sometimes a token parameter, sometimes none.

Create a new OAuth source is not too complicated if we have a test 
account and adequate documentation, but will require a bit of code. I do 
like the idea of generic, but I am not sure it will be that generic 
because of arguments stated earlier.

The best option here seems to develop a new source for Keycloak OpenID, 
unless we rework the way how OAuth2 sources are coded.

Thanks

On 05/01/2017 02:14 PM, lists wrote:
> Hi,
>
> Last question for today! :-)
>
> We are running RedHat's Keycloak, a saml / openid connect / oauth2 IDP,
> and would like to use OpenID Connect to authenticate our users. We have
> noticed that packetfence has SAML auth support, true, but SAML is so
> much harder to setup than OpenID Connect.
>
> And since packetfence supports all kinds of OAuth2 clients... is there a
> way to configure a packetfence usersource aganist a generic OAuth2
> server, such as the RedHat Keycloak IDP?
>
> Best regards,
> MJ
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] oauth2

[lists]

Hi,

Last question for today! :-)

We are running RedHat's Keycloak, a saml / openid connect / oauth2 IDP, 
and would like to use OpenID Connect to authenticate our users. We have 
noticed that packetfence has SAML auth support, true, but SAML is so 
much harder to setup than OpenID Connect.

And since packetfence supports all kinds of OAuth2 clients... is there a 
way to configure a packetfence usersource aganist a generic OAuth2 
server, such as the RedHat Keycloak IDP?

Best regards,
MJ


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users