search

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens
Other
79 stars 46 forks source link

AuthJWTProvider ldap with Require ldap-group #56

Open zrav opened 3 years ago

zrav commented 3 years ago

We are currently using LDAP Basic Auth with group checking in a reverse proxy setup, which we'd like to switch to a JWT cookie setup, but are running into problems.

We are successful using the file auth provider, posting the credentials to the login-handler, receiving the JWT cookie in return. But when we switch to AuthJWTProvider ldap, we are unable to use the "Require ldap-group" directive in the login configuration. Is this currently not supported? Even better would be the possibility to check groups on each individual secured path, so you'd be able to have different requirements for each, but I assume that would require the assigned groups to be stored in the cookie and then checked on access, and I don't think that's possible.

    AuthJWTFormUsername user
    AuthJWTFormPassword password
    AuthJWTAttributeUsername user
    AuthJWTSignatureAlgorithm HS256
    AuthJWTSignatureSharedSecret sikrit
    AuthJWTCookieName ProxyJWT
    AuthJWTExpDelay 1800
    AuthJWTNbfDelay 0
    AuthJWTIss demo.company.com
    AuthJWTAud demo
    AuthJWTLeeway 10

    AuthJWTDeliveryType Cookie
    AuthJWTCookieAttr "Secure; HttpOnly; SameSite=Strict; Path=/"

    <Directory /var/www/html/demo/secured/>
        AllowOverride None
        AuthType jwt-cookie
        AuthName "jwt private area"
        Require valid-user
    </Directory>

    <Location /demo/login>
        SetHandler jwt-login-handler
        AuthJWTProvider ldap
        AuthLDAPURL    "ldap://ldaphost:389/ou=People,dc=company,dc=com?uid,cn,mail?sub?(objectClass=*)"
        AuthLDAPBindDN "cn=admin,dc=company,dc=com"
        AuthLDAPGroupAttribute "memberUid"
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPBindPassword "anotherSikrit"
        AuthLDAPRemoteUserAttribute "uid"
        Require ldap-group cn=mygroup,ou=Group,dc=company,dc=com
    </Location>
AnthonyDeroche commented 3 years ago

I do not know how exactly the ldap module works. You could have 2 methods:

  1. I assume the require-group directive needs to access the current user. It might be interesting to know if this is possible that the module use the REMOTE_USER set by the authnz_jwt module in the environment and then use it afterwards for authorization.

  2. You need to store groups of user in the token to be able to perform validation based on token data, and then use Require jwt-claim-array groups=group1, assuming groups is an array of groups, and the token is issued by another server (this module cannot set LDAP group in its data)