Feature: Allow use of kerberos tickets within ferdium and/or services

cmeissner commented 2 years ago

Preflight Checklist

[X] I have read the Contributing Guidelines for this project.
[X] I agree to follow the Code of Conduct that this project adheres to.
[X] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Problem Description

It is currently not possible to make use of SSO feature related on kerberos tickets. With Chrome (on Fedora 36) you are able to use kerberos by simply place to place a json file in (/etc/opt/chrome/policies/managed/) with the following content:

{ "AuthServerWhitelist": ".example.com"}

There is no way to setup this feature globally nor by service yet.

Proposed Solution

The best solution would be to have ui dialogs for:

setting up kerberos globally
setting by service

Alternatives Considered

A much simpler to implement solution can be an approach like in Chrome by placing a file somewhere within the ferdium directory tree at a minimum.

Additional Information

Obviously it is needed to use another library to implement such a feature. Maybe the kerberos npm package can be a good candidate for that feature.

SpecialAro commented 2 years ago

Hello @cmeissner, thank you for logging this feature request. Would you please edit the title of this issue so it corresponds to the feature request itself? Thank you

kingsleyzissou commented 1 year ago

So technically you could launch the app from the command line and specify the args for the kerberos tickets, this was added to franz by the looks of it.

Running: /usr/bin/ferdium --auth-server-whitelist '*.my-domain.com' --auth-negotiate-delegate-whitelist '*.my-domain.com' did the trick for me.

cmeissner commented 1 year ago

This does not work for me. As I'm on Fedora I run the following command (with and without * in front of domains)

flatpak run org.ferdium.Ferdium --auth-server-whitelist '.example.com' --auth-negotiate-delegate-whitelist '.example.com'

But I still need to provide login data for all services. SSO is not working.

Providing such command line parameters should not be the intended solution. Users should be able to configure this in the UI for convenience reasons and for being usable for all kind of users. As providing command line parameters needs more knowledge in modern desktop linux variants in configuring custom application launchers.

kingsleyzissou commented 1 year ago

Ah fair enough, running Ferdium on Fedora too (but not flatpak).

We're in the same company btw and internal SSO is working for me. But as you said, would be nice to configure this in the app rather than the workaround I'm using

cmeissner commented 1 year ago

I can confirm that the workaround suggested by @kingsleyzissou work with the rpm from Ferdium download page but not with the flatpak version from flathub.

xek commented 1 year ago

This syntax worked for me:

flatpak run org.ferdium.Ferdium --auth-server-whitelist 'https://*' --auth-negotiate-delegate-whitelist 'https://*'

cmeissner commented 1 year ago

@xek I also try this with the flatpak version but I won't work for me. But with rpm I have a workaround in place.

djasa commented 1 year ago

@xek I also try this with the flatpak version but I won't work for me. But with rpm I have a workaround in place.

This syntax did work for me with flatpak on Fedora 37, so I've put it into a custom .desktop file:

$ KRBDOMAIN=example.com
$ sed "/^Exec=/ s/\(org.ferdium.Ferdium\)/\1 --auth-server-whitelist \"https:\/\/*.$KRBDOMAIN\"  --auth-negotiate-delegate-whitelist \"https:\/\/*.$KRBDOMAIN\"/" \
    /var/lib/flatpak/app/org.ferdium.Ferdium/current/active/export/share/applications/org.ferdium.Ferdium.desktop \
    > ~/.local/share/applications/ferdium-custom.desktop
$ xdg-desktop-menu forceupdate

However a configuration option would be much friendlier...

tlbueno commented 1 year ago

@xek I also try this with the flatpak version but I won't work for me. But with rpm I have a workaround in place.

This syntax did work for me with flatpak on Fedora 37, so I've put it into a custom .desktop file:
$ KRBDOMAIN=example.com
$ sed "/^Exec=/ s/$org.ferdium.Ferdium$/\1 --auth-server-whitelist \"https:\/\/*.$KRBDOMAIN\"  --auth-negotiate-delegate-whitelist \"https:\/\/*.$KRBDOMAIN\"/" \
    /var/lib/flatpak/app/org.ferdium.Ferdium/current/active/export/share/applications/org.ferdium.Ferdium.desktop \
    > ~/.local/share/applications/ferdium-custom.desktop
$ xdg-desktop-menu forceupdate
However a configuration option would be much friendlier...

I am on fedora 37 and got the error below when tried that way. Any ideas about why this error is happening?

$ /usr/bin/flatpak run --branch=stable --arch=x86_64 --command=ferdium --file-forwarding org.ferdium.Ferdium --auth-server-whitelist "https://*.example.com" --auth-negotiate-delegate-whitelist "https://*.example.com" --ozone-platform=wayland '--enable-features=UseOzonePlatform,WebRTCPipeWireCapturer'

[2:0315/082345.266802:ERROR:wayland_connection.cc(224)] Failed to connect to Wayland display: No such file or directory (2) [2:0315/082345.266832:ERROR:ozone_platform_wayland.cc(223)] Failed to initialize Wayland platform [2:0315/082345.266834:ERROR:env.cc(255)] The platform failed to initialize. Exiting.

djasa commented 1 year ago

@xek your error in unrelated to this issue. Essentially it looks like Ferdium is told to run as a Wayland client while the flatpak configuration forces use of X11 socket. If you want to run Ferdium as a Wayland client, you'd need to set up an override providing it a Wayland socket.

ferdium / ferdium-app