Closed vincib closed 6 months ago
After reading part of the source code, it seems that there is no way to tell openvpn any information about the user that has just been authenticated...
the only answer given to openvpn is the original openvpn username (which may be empty)
Am I wrong? Is there any way to give openvpn the identity of the oAuth-authenticated user?
I expect to get some information from google regarding the logged-in user but I have none...
That is strange, it looks different at my side (I'm using Google Workspace as well):
time=2024-02-28T17:28:45.214+01:00 level=INFO msg="successful authorization via oauth2" ip=192.168.65.1:51284 cid=1 kid=1 session_id=tuvBvUCjrsaMDjT5 common_name="" idtoken.subject=115662897738804440569 idtoken.email=mail@jkroepke.de idtoken.preferred_username="" user.subject=115662897738804440569 user.preferred_username=""
time=2024-02-28T17:28:45.214+01:00 level=INFO msg="accept OpenVPN client cid 1, kid 1" ip=192.168.65.1:51284 cid=1 kid=1 session_id=tuvBvUCjrsaMDjT5 common_name="" idtoken.subject=115662897738804440569 idtoken.email=mail@jkroepke.de idtoken.preferred_username="" user.subject=115662897738804440569 user.preferred_username=""
time=2024-02-28T17:28:45.807+01:00 level=INFO msg="client established" ip=192.168.65.1:51284 vpn_ip=100.64.0.3 cid=1 common_name="" reason=ESTABLISHED session_id=tuvBvUCjrsaMDjT5 session_state=Initial
The ip fields are new (merged yesterday, but not released yet), But I'm also missing the idtoken
log fields on your side. This happens only, if openvpn-auth-oauth2
does not get an IDToken from Google back.
The problem cloud be that you are configure too much. The recommend setting is
CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
CONFIG_OAUTH2_CLIENT_ID=162738495-xxxxx.apps.googleusercontent.com
CONFIG_OAUTH2_CLIENT_SECRET=GOCSPX-xxxxxxxx
and the auto-discovery should do the rest
I expect openvpn-auth-oauth2 to get an email or name from the oAuth process, that can be then processed by openvpn (example via a client-connect script).
+
After reading part of the source code, it seems that there is no way to tell openvpn any information about the user that has just been authenticated...
Correct. The request you are looking for the this (please leave a vote on first post):
There was a recent discussion in yesterdays, here is a summerize:
Using Enterprise-like feature (like WebAuth with SSO) together with native OpenVPN features is combination, which is currently not in Scope of OpenVPN itself. While the feature request is valid, there is not enough attraction to implement it.
The core maintainers says, I should re-implement every feature in openvpn-auth-oauth2 the same way that other enterprise implementation do it.
the only answer given to openvpn is the original openvpn username (which may be empty)
Not even that. auth-token-user
is only pushed to the OpenVPN client, but not used inside OpenVPN Server.
you are right: since I configured that before the google provider existed, I didn't change anything ...
I reconfigured and tested again :
openvpn-auth-oauth2[2178688]: time=2024-02-28T17:53:15.603+01:00 level=INFO msg="accept OpenVPN client cid 24, kid 1" cid=24 kid=1 session_id="" common_name=lavar idtoken.subject=118119612884626932668 idtoken.email=benjamin@aaa.octopuce.fr idtoken.preferred_username="" user.subject=118119612884626932668 user.preferred_username=""
it works now, I just have this 118sthg id sent to openvpn, which is not transmitted to client-connect (which confirms your last message above) so the feature request remains :)
thanks for the references to openvpn, I'll read that...
so the feature request remains :)
I would like to lose this in favor of #139. The issue is around report the username back to OpenVPN.
If the username is in OpenVPN context, it may can used in client-connect scripts than.
Yes, this request is a duplicate of #139. I close it now unless you have another idea.
Thanks!
Current Behavior
I'm using the google provider and it works fine with the configuration below
That said, I need to know the identity of our connected user to know which IP address to give him/her later in the openvpn, via a client-connect script.
openvpn-auth-oauth2 is logging this when the user is logged-in :
I see that there is no username or subject returned by the oAuth session... Is it normal?
I expect to get some information from google regarding the logged-in user but I have none...
Expected Behavior
I expect openvpn-auth-oauth2 to get an email or name from the oAuth process, that can be then processed by openvpn (example via a client-connect script).
If it's clearly non-standard, feel free to replace this bug to be a feature request <3 and let's talk about it.
Steps To Reproduce
No response
Environment
openvpn-auth-oauth2 logs
openvpn server logs
The "Login not found" is from a client-connect script, that receive a complete environment, but no username or email in this environment :/
Anything else?
my openvpn-oauth config is as such :