Enabling Social Login(Facebook/Google) in Captive Implementation using Cova-Chilli and Free Radius

[shankarsh15]

Hi,

We are trying to implement a captive solution wherein we are using Cova Chilli and FreeRadius. We have hosted our own captive app (built in Java) on tomcat sever. Our goal is to enable authentication through Social Login(Using either facebook/google oauth) instead of using any local authentication mechanism provided by Free Radius auth modules.

We are facing issues for enabling social login authentication through FreeRadius. Can you please provide any suggestions in this regard.

Cheers Shankar.

[westbywest]

Here is a response I gave to a near identical question on the Coova listserv a couple months ago. Do please note I am not a Coova developer.

I think Coova tried to support social login several years ago in their CoovaAAA project, but this development appears to be abandoned.

RADIUSDesk claims to support social login using CoovaChilli on the hotspots, although it is a full freeRADIUS + management dashboard package. http://sourceforge.net/projects/radiusdesk/

Also, though unfortunately inaccessible to OpenWRT at large, Cloudtrax just recently announced Facebook integration for the proprietary CoovaChilli clone they've rolled into their latest (OpenWRT-based) firmware. https://help.cloudtrax.com/hc/en-us/articles/202467164-New-in-CloudTrax-firmware-5xx

On Wed, Oct 7, 2015 at 10:33 AM, shankarsh15 notifications@github.com wrote:

Hi,

We are trying to implement a captive solution wherein we are using Cova Chilli and FreeRadius. We have hosted our own captive app (built in Java) on tomcat sever. Our goal is to enable authentication through Social Login(Using wither facebook/google oauth) instead of using any local authentication mechanism provided by Free Radius auth modules.

We are facing issues for enabling social login authentication through FreeRadius. Can you please provide any suggestions in this regard.

Cheers Shankar.

— Reply to this email directly or view it on GitHub https://github.com/coova/coova-chilli/issues/99.

Ben West me@benwest.name

[shankarsh15]

Appreciate a lot Ben for your quick response. Just wanted to understand whether there are any other open source software access controller other than Covachilli directly supporting Social Login.

[jobezic]

I have implemented what you describe for my company. Basically, i have integrated the social authentication in the captive portal. When a user successfully login into its social, coova-chiili makes its pair of credentials using user's info (e.g. email) and a random password and it login the user automatically. So the user is authenticated also with radius and exchanges sessions with it. Plus, I send user's data to the server where radius is running through a webservice for collecting purposes.

[shankarsh15]

Thanks a lot Giovanni for your valuable inputs, we are also taking similar approach currrently.

Cheers Shankar

[shankarsh15]

Hi Giovanni

As mentioned yesterday I am also following your path to enable social login. I am actually stuck at the last part.

I am using below code for communication from my captive portal page to controller.

    chilliController.host = "192.168.2.2"; // Hard Coding - not a good idea
    chilliController.port = "3990";
    chilliController.interval = 60;

    chilliController.onError = handleErrors;
    chilliController.onUpdate = updateUI;

Can you please let me know what should be the correct value of chilliController.host.

I have tried both 192.168.1.1 and 192.168.2.2 which I see when I run ifconfig command by doing ssh to router but i am not able to hit the covachilli controller correctly.

Awaiting your valuable feedback.

Thanks Shankar

[shankarsh15]

Hi Giovanni,

Is it possible for you to share the steps you used in your setup to enable social login through covachilli.

I am really stuck and not getting any pointers on How to proceed.

Here is a list of things which I did in my setup.

1. Installed Covachilli in OpenWrt firmware. 2.Installed Radius Server from Radius Desk in one of the Amazon instances. 3.Changed defaults file with appropriate parameters in /etc/chili/defaults. 4.Created my own captive portal application which has the facebook login embedded in it 5.Changed HS_UAMFORMAT in defaults.conf file to point to my captive portal app homepage . 6.restarted covachilli.

I am sure I am doing some mistake in setting up of /etc/chilli/defaults file.

Will really appreciate your help in this regard.

Thanks Shiv

[mobishastr]

Hi all I will appreciate if anyone of you can provide us the complete solution for social login in hotspot as we are plaining to start these services . If any one of you had already worked on it then it will save a lot of time .kindly do let me know how to get in touch for further discussion on features , time required and price . looking forward to get an urgent support Regards

[AndrewMargarit]

Have a look at CucumberWiFi, It's a radius+external hosted login page that works with coovachilli.

[jobezic]

@mobishastr sorry for my delay... did you find the solution?

[LouigiSon]

Hi all,

I'm searching for a way to implement Facebook login or email access on the captive portal. The purpose of this is so one can gather required information for us eat a later timeline. ( e.g. special offers & marketing)

My question is, has anyone been able to implemented this feature.. and if so..i would gladly appreciate a guide or document which could also help me achieve the desired outcome.

Looking forward to a reply.

Regards

[jobezic]

Hi, i am able to implement that but i cannot provide a guide because it's not a procedure to follow but a feature to code..

[skaterkamp]

http://keycloak.org can handle social logins and its getting fairly usable now. An idea could be to use such a Keycloak server, and setup the corresponding Keycloak client as a web application on the same server. That web app provides a login page ("security-constraint").

Setup Coova to permit non authenticated access to that web application and redirect non authenticated accesses to other URLs to that webapp login page. Keycloak then takes care of the login process.

Once logged in to the webapp, the "only" thing which is needed is a mechanism in the webapp which tells Coova that the user is authenticated. I am not sure what exactly would be needed for this or if this would be possible at all. This way some already existing open source solution would take care of all that complex authentication handling at least and the rest of telling Coova that the user is authenticated could be possibly easier to implement.

[dhuka]

Hi Skaterkamp,

nice idea, can you tell us how to setup coova to redirect keycloak web client ?

thanks

[jobezic]

You have to allow the url of web client in the allow garden of coovachilli and to set the redirect url to the same url. See the docs to do those operations.

[matteos1]

do you have resolved to have coovachilli oauth with facebook or Google?

[tek-monkey]

Interesting reading. I've just set up a Cisco meraki ap to do this in my partners shop (using the free app offer for watching a webinar), but thought I'd see what I can do myself in either openwrt or routeros. My aim is to run everything off the router and an external website, I'll have a read up on cucumberwifi, thanks.

[LyzioOh]

Hey pinkra, i see you sucessfully code a feature which allow user to log in on a coova-chilli captive portal using social login. I'm very interesting in doing the same thing and have few questions.

1) Does it took you a lot of time ? 2) Which social login are available ? ( Facebook, Twitter,..)

Regards

[LyzioOh]

To whow it may interest.

I have done some research in order to see how enable social login on coova using keycloak. There is CoovaChilli JSON Interface available to log in users using JS. Main clients for this interface are ChilliLibrary.js or https://gitb.com/mpangrazzi/pepper .

One possible solution is :

1) Getting token from keycloak. 2) Ask radius server to accept this token.
3) Log in throught CoovaChilli JSON Interface.

Regards

[pramodsnegi]

Hi Pinkra,

As you have successfully implemented social login in captive portal so could you please share the authentication flow at social level and at radius level. Would like to understand the complete flow before starting implementation.

[charada]

Hi, I'd be very interested in this solution as well. We wanted to authenticate our users against an external website (not facebook, twiter,...) and I would like to understand how oauth would work in this case

Thanks in advance

[jobezic]

@pramodsnegi I could just give you some suggests.. enable facebook's domains (or whatever social you want to use) in the allowed garden, play with facebook api to get user authenticated and finally create an account into the radius for the chilli part.

[charada]

@pinkra can you give us some light for the authentication flow? :) I've been looking to the walled-garden configuration in coova chilli. Does it define the domain that will be used for the authentication and it will redirect to that site, right? How can I establish communication with it? i.e. How do you learn from it that the user is authenticated?

Then, what I understand is that if authentication is done, a random user-password is created. Is this something that coovachilli provides? Did you have to modify the radius configuration?

Thanks for your help!

[pramodsnegi]

@Pinkra, Thanks for your prompt response. Actually I have successfully implemented Facebook, Google etc API to authenticate the user in a separate web page (which is hosted publicly). Now not able to understand how router will know that user is authenticated and grant access. Is Radius is mandatory for that? My aim is to implement a wifi hotspot solution where someone can login via facebook, google etc account and if authentication is successful, grant internet access. I am in very initial phase of this implementation and not clear about sequence of communication/messages.

Till now, my understanding is -user latches on wifi and opens any http web url, router will block all traffic and redirect to captive portal page (where we'll implement facebook, google login). Now if someone authenticated successfully at web page (captive portal) then somehow router should know this so that it will provide internet access to the user.

Thanks in Advance,

[jobezic]

@charada coovachilli does not provide a way to generate random credentials, you have to do it by yourself. What domain are you referring to?

[jobezic]

@pramodsnegi you should generate a random pair of credentials in your radius server on social login successfull authentication, and then use them with coovachilli.

[pmosse]

@pinkra Did you have any luck implemented that? I have the same problem. I have a router with coovachilli that displays my external site, and from there I would like to give internet access to the user. So @pramodsnegi what you are saying is that I should create random credentials for the user? And how should I use them? I would like to give internet access to the user immediately without telling him to enter those credentials somewhere... How do I communicate with Radius or Coovachilli from the external site? Thanks!

[stevejohn82]

Hey can any of you help me in setting a coova-chilli portal at openwrt , i am failing badly after several tries.. can i get a clear manual for it with radius sever included , Thank you

[stevejohn82]

I have done it successfully using external radius server, now i have a login page normal coova login and facebook login as well but how to authenticate facebook users is the problem, if anyone of you have success implementing social login using coova chilli and any external server please do comment

[pmosse]

Hi @stevejohn82! So you are using an external splash page to authenticate users against Radius? But Facebook login doesn't work for you? Or are you using an internal Splash page, which one is your scenario?

[jobezic]

I have implemented it!

[stevejohn82]

@pmosse I have html web-server inside openwrt router and remote radius authentication server outside , i can authenticate the username password that i created in the sql server but cannot authenticate the facebook or google users, please tell me the way out to implement social login @pinkra please share how you have done it without creating pair credentials yourself

[reinerotto]

I have implemented social login several times, as a freelancer. Incl. auth from freeradius, of course, and data scraping of user info. Like here: wifibus.com.mx ; clicspot.com However, having spent a lot of time reading and understanding coovas C-code, I am hesitating to give a lecture for free. I often see these type of requests from cheap freelance competitors, and as I make a living out of it, it should be understandable, not all knowledge to be shared for free.

[mobishastr]

Dear reinerotto

Can understand that one should get some financial benefits for there knowledge and long hours of dedicated work in a professional field.

I am looking for a hotspot solution with social login with posting on user wall . There are many feature is required and all this preferably on mikrotik or some other device where there should be no restriction on number of AP. Should work without any problem on all platforms .

Kindly let me know how can we get in touch

Warm regards Omesh Midha

Sky omesh_midha at hot mail . Com

On Apr 23, 2017 12:31 PM, "reinerotto" notifications@github.com wrote:

I have implemented social login several times, as a freelancer. Incl. auth from freeradius, of course, and data scraping of user info. Like here: wifibus.com.mx ; clicspot.com However, having spent a lot of time reading and understanding coovas C-code, I am hesitating to give a lecture for free. I often see these type of requests from cheap freelance competitors, and as I make a living out of it, it should be understandable, not all knowledge to be shared for free.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/coova/coova-chilli/issues/99#issuecomment-296427926, or mute the thread https://github.com/notifications/unsubscribe-auth/AOpb4tJlhDxeCrwoZW54v6dlYx82PvHdks5rywxSgaJpZM4GKo-v .

[stevejohn82]

@reinerotto how difficult it is to implement it using coova chilli? how much time will it take for a newbie to do it? if you can give a rough idea!

[medrockstar]

@pinkra how you have implemented it ?

Tks,

[jobezic]

@mobishastr contact me: giovanni@geenkle.com www.geenkle.com

[reigelgallarde]

I have done something like this.. But not sure if it's safe..

after facebook auth, I'm creating a user credentials and use chilliController.logon(username, password) my problem now is if someone tries to check the console, they will see the password.. I'm doing it wrong I think... any suggestion? I'm thinking of doing the logon on server side to hide the credentials... but don't know if that's possible...

[irongomme]

I think it can be done by implementing a custom login flow, and let server communicate with google or facebook oauth. But, has somebody already done a work like that ? I would be interested in !

[reinerotto]

Shure, did it several times. In the way you wrote. Read my previous post here.

[eralumin]

@reinerotto Did you use the uam regex option and fix it or did you have to code yourself the functionality to allow urls that match with regex?

[reigelgallarde]

after my last comment above, I studied how coovachilli works and radius server in general.

Now, I have made a few projects with coovachilli... An example is Mavis Piso Wifi and yes the above question can be done. But not in coovachilli alone...

[reinerotto]

@reinerotto Did you use the uam regex option and fix it or did you have to code yourself the functionality to allow urls that match with regex?

No usage of regex. Own coding, like "irongomme" wrote in his post on 23-Apr-2018.

[eralumin]

But until the user is logged in, you make sure that he can only access "https://accounts.google.com/signin/oauth/[...]" if he asks to log in with his google account?