oauth2.validate.common-name not working

andreas-p commented 7 months ago

Current Behavior

Using openvpn-auth-oauth2_1.13.5_linux_amd64.deb, I configured openvpn-auth to start with the command line option --oauth2.validate.common-name preferred_username.

On the server side, I have

username-as-common-name
verify-client-cert none

When connecting using openvpn3 with username "nobody" (authorizing via Nextcloud), I see

TLS: Username/Password authentication deferred for username 'nobody' [CN SET]
msg="successful authorization via oauth2" cid=15 kid=1 
  common_name=""
  idtoken.subject=MyName
  idtoken.preferred_username=MyName
  user.subject=MyName
  user.preferred_username=MyName

Obviously, cn "nobody" and preferred_username don't match.

Expected Behavior

Deny connection if cn and configured field from oauth2 userinfo endpoint don't match.

Steps To Reproduce

No response

Environment

No response

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

jkroepke commented 7 months ago

tbh. I never test this feature together with

username-as-common-name
verify-client-cert none

And its suspicions to me that the common_name is empty on the log side.

However if the common name is empty, the auth should be blocked

https://github.com/jkroepke/openvpn-auth-oauth2/blob/5d5d2eab38cde193a25b179b1befb40ed7cc8637/internal/oauth2/providers/generic/check.go#L90-L92

I have to investigate the issue, but it will take some time.

andreas-p commented 7 months ago

Happening with openvpn2.6.3 from Debian Bookworm

jkroepke commented 7 months ago

I integrated some test and figure out a typo in the config struct, should be fixed with #151

jkroepke commented 7 months ago

There is an additional in #154

jkroepke / openvpn-auth-oauth2