[prev in list] [next in list] [prev in thread] [next in thread]
List: openvpn-devel
Subject: Re: [Openvpn-devel] [PATCH v3] Introduce webauth auth pending method and deprecate openurl
From: Selva Nair <selva.nair () gmail ! com>
Date: 2021-08-13 16:48:13
Message-ID: CAKuzo_jBQvOrZ66_tWBsJOzUCGO7RkP2Y2rmSDW1kdHR6dN-PA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
On Fri, Aug 13, 2021 at 7:56 AM Arne Schwabe <arne@rfc2549.org> wrote:
> The experience with openurl/OPEN_URL has shown that just sending
> a URL to a client is not enough and we often need different
> behaviour of the client depending on circumstances. Replace
> OPEN_URL with a more flexible WEB_AUTH pending auth method.
>
> Patch v2: use WEB_AUTH instead WEBAUTH
> Patch v3: incooperate other comments from Selva
>
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> ---
> doc/management-notes.txt | 45 +++++++++++++++++++++++++------------
> include/openvpn-plugin.h.in | 2 +-
> 2 files changed, 32 insertions(+), 15 deletions(-)
>
> diff --git a/doc/management-notes.txt b/doc/management-notes.txt
> index c20344298..1cafb8a8e 100644
> --- a/doc/management-notes.txt
> +++ b/doc/management-notes.txt
> @@ -645,11 +645,11 @@ Before issuing a client-pending-auth to a client
> instead of a
> client-auth/client-deny, the server should check the IV_SSO
> environment variable for whether the method is supported. Currently
> defined methods are crtext for challenge/response using text
> -(e.g., TOTP), openurl and proxy_url for opening a URL in the client to
> -continue authentication. A client supporting the first two methods would
> -set
> +(e.g., TOTP), openurl (deprecated) and webauth for opening a URL in
> +the client to continue authentication. A client supporting webauth and
> +crtext would set
>
> - setenv IV_SSO openurl,crtext
> + setenv IV_SSO webauth,crtext
>
> The variable name IV_SSO is historic as AUTH_PENDING was first used
> to signal single sign on support. To keep compatibility with existing
> @@ -668,33 +668,50 @@ notification as
> where {EXTRA} is formatted as received from the server.
> Currently defined formats for {EXTRA} are detailed below.
>
> -openurl
> -========
> +webauth and openurl
> +===================
> For a web based extra authentication (like for
> SSO/SAML) {EXTRA} should be
>
> OPEN_URL:url
>
> -and client should ask the user to open the URL to continue.
> +or
> +
> + WEB_AUTH:flags:url
> +
> +The OPEN_URL method is deprecated as it does not allow to send flags which
> +proved to be needed to signal certain behaviour to the client.
> +
> +The client should ask the user to open the URL to continue.
>
> The space in a control message is limited, so this url should be kept
> short to avoid issues. If a longer url is required a URL that redirects
> -to the longer URL should be sent instead.
> +to the longer URL should be sent instead. The total length is limited to
> 1024
> +bytes which includes the INFO_PRE:WEB_AUTH:flags.
> +
> +flags is a list of flags which are separated by commas. Currently defined
> +flags are:
> +
> +- proxy (see next pargraph)
> +- hidden start the webview in hidden mode (see openvpn3 webauth
> documentation)
> +- external Do not use an internal webview but use an external browser.
> Some
> + authentication providers refuse to work in an internal
> webview.
> +
>
> A complete documentation how URLs should be handled on the client is
> available
> in the openvpn3 repository:
>
> https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md
>
> -proxy_url
> -========
> -This is a variant of openurl that allows opening a url via an
> +webauth with proxy
> +==================
> +This is a variant of webauth that allows opening a url via an
> HTTP proxy. It could be used to avoid issues with OpenVPN connection's
> persist-tun that may cause the web server to be unreachable.
> -The client should announce proxy_url in its IV_SSO and parse the
> -PROXY_URL message. The format of {EXTRA} in this case is
> +The client should announce proxy in its IV_SSO and parse the
> +proxy flag in the WEB_AUTH message. The format of {EXTRA} in this case is
>
> -
> PROXY_URL:<proxy>:<proxy_port>:<proxyuser_base64>:<proxy_password_base64>:url
> +
> WEB_AUTH:proxy=<proxy>;<proxy_port>;<proxy_user_base64>;<proxy_password_base64>,flags:url
>
> The proxy should be a literal IPv4 address or IPv6 address enclosed in []
> to avoid
> ambiguity in parsing. A literal IP address is preferred as DNS might not
> be
> diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
> index abbfd9c2a..28b845af1 100644
> --- a/include/openvpn-plugin.h.in
> +++ b/include/openvpn-plugin.h.in
> @@ -573,7 +573,7 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t
> OPENVPN_PLUGIN_FUNC(openvpn_plugin_op
> * auth_pending_file is
> * line 1: timeout in seconds
> * line 2: Pending auth method the client needs to support (e.g. openurl)
> - * line 3: EXTRA (e.g. OPEN_URL:http://www.example.com)
> + * line 3: EXTRA (e.g. WEBAUTH::http://www.example.com)
> *
> * In addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and
> * OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries to
>
Acked-by: <selva.nair@gmail.com>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi,</div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Fri, Aug 13, 2021 at 7:56 AM Arne Schwabe <<a \
href="mailto:arne@rfc2549.org">arne@rfc2549.org</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">The experience with openurl/OPEN_URL has shown \
that just sending<br> a URL to a client is not enough and we often need different<br>
behaviour of the client depending on circumstances. Replace<br>
OPEN_URL with a more flexible WEB_AUTH pending auth method.<br>
<br>
Patch v2: use WEB_AUTH instead WEBAUTH<br>
Patch v3: incooperate other comments from Selva<br>
<br>
Signed-off-by: Arne Schwabe <<a href="mailto:arne@rfc2549.org" \
target="_blank">arne@rfc2549.org</a>><br>
---<br>
doc/management-notes.txt | 45 +++++++++++++++++++++++++------------<br>
include/<a href="http://openvpn-plugin.h.in" rel="noreferrer" \
target="_blank">openvpn-plugin.h.in</a> | 2 +-<br> 2 files changed, 32 \
insertions(+), 15 deletions(-)<br> <br>
diff --git a/doc/management-notes.txt b/doc/management-notes.txt<br>
index c20344298..1cafb8a8e 100644<br>
--- a/doc/management-notes.txt<br>
+++ b/doc/management-notes.txt<br>
@@ -645,11 +645,11 @@ Before issuing a client-pending-auth to a client instead of \
a<br> client-auth/client-deny, the server should check the IV_SSO<br>
environment variable for whether the method is supported. Currently<br>
defined methods are crtext for challenge/response using text<br>
-(e.g., TOTP), openurl and proxy_url for opening a URL in the client to<br>
-continue authentication. A client supporting the first two methods would<br>
-set<br>
+(e.g., TOTP), openurl (deprecated) and webauth for opening a URL in<br>
+the client to continue authentication. A client supporting webauth and<br>
+crtext would set<br>
<br>
- setenv IV_SSO openurl,crtext<br>
+ setenv IV_SSO webauth,crtext<br>
<br>
The variable name IV_SSO is historic as AUTH_PENDING was first used<br>
to signal single sign on support. To keep compatibility with existing<br>
@@ -668,33 +668,50 @@ notification as<br>
where {EXTRA} is formatted as received from the server.<br>
Currently defined formats for {EXTRA} are detailed below.<br>
<br>
-openurl<br>
-========<br>
+webauth and openurl<br>
+===================<br>
For a web based extra authentication (like for<br>
SSO/SAML) {EXTRA} should be<br>
<br>
OPEN_URL:url<br>
<br>
-and client should ask the user to open the URL to continue.<br>
+or<br>
+<br>
+ WEB_AUTH:flags:url<br>
+<br>
+The OPEN_URL method is deprecated as it does not allow to send flags which<br>
+proved to be needed to signal certain behaviour to the client.<br>
+<br>
+The client should ask the user to open the URL to continue.<br>
<br>
The space in a control message is limited, so this url should be kept<br>
short to avoid issues. If a longer url is required a URL that redirects<br>
-to the longer URL should be sent instead.<br>
+to the longer URL should be sent instead. The total length is limited to 1024<br>
+bytes which includes the INFO_PRE:WEB_AUTH:flags.<br>
+<br>
+flags is a list of flags which are separated by commas. Currently defined<br>
+flags are:<br>
+<br>
+- proxy (see next pargraph)<br>
+- hidden start the webview in hidden mode (see openvpn3 webauth \
documentation)<br> +- external Do not use an internal webview but use an external \
browser. Some<br> + authentication providers refuse to work in an \
internal webview.<br> +<br>
<br>
A complete documentation how URLs should be handled on the client is available<br>
in the openvpn3 repository:<br>
<br>
<a href="https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md" \
rel="noreferrer" target="_blank">https://github.com/OpenVPN/openvpn3/blob/master/doc/webauth.md</a><br>
<br>
-proxy_url<br>
-========<br>
-This is a variant of openurl that allows opening a url via an<br>
+webauth with proxy<br>
+==================<br>
+This is a variant of webauth that allows opening a url via an<br>
HTTP proxy. It could be used to avoid issues with OpenVPN connection's<br>
persist-tun that may cause the web server to be unreachable.<br>
-The client should announce proxy_url in its IV_SSO and parse the<br>
-PROXY_URL message. The format of {EXTRA} in this case is<br>
+The client should announce proxy in its IV_SSO and parse the<br>
+proxy flag in the WEB_AUTH message. The format of {EXTRA} in this case is<br>
<br>
- PROXY_URL:<proxy>:<proxy_port>:<proxyuser_base64>:<proxy_password_base64>:url<br>
+ WEB_AUTH:proxy=<proxy>;<proxy_port>;<proxy_user_base64>;<proxy_password_base64>,flags:url<br>
<br>
The proxy should be a literal IPv4 address or IPv6 address enclosed in [] to \
avoid<br> ambiguity in parsing. A literal IP address is preferred as DNS might not \
be<br>
diff --git a/include/<a href="http://openvpn-plugin.h.in" rel="noreferrer" \
target="_blank">openvpn-plugin.h.in</a> b/include/<a \
href="http://openvpn-plugin.h.in" rel="noreferrer" \
target="_blank">openvpn-plugin.h.in</a><br> index abbfd9c2a..28b845af1 100644<br>
--- a/include/<a href="http://openvpn-plugin.h.in" rel="noreferrer" \
target="_blank">openvpn-plugin.h.in</a><br>
+++ b/include/<a href="http://openvpn-plugin.h.in" rel="noreferrer" \
target="_blank">openvpn-plugin.h.in</a><br> @@ -573,7 +573,7 @@ OPENVPN_PLUGIN_DEF \
openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op<br>
* auth_pending_file is<br>
* line 1: timeout in seconds<br>
* line 2: Pending auth method the client needs to support (e.g. openurl)<br>
- * line 3: EXTRA (e.g. OPEN_URL:<a href="http://www.example.com" rel="noreferrer" \
target="_blank">http://www.example.com</a>)<br> + * line 3: EXTRA (e.g. WEBAUTH::<a \
href="http://www.example.com" rel="noreferrer" \
target="_blank">http://www.example.com</a>)<br>
*<br>
* In addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and<br>
* OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries \
to<br></blockquote><div><br></div><div>Acked-by: <<a \
href="mailto:selva.nair@gmail.com">selva.nair@gmail.com</a>> </div></div></div>
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic