search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
156 stars 24 forks source link

No information returned from Google oAuth #201

Closed vincib closed 6 months ago

vincib commented 6 months ago

Current Behavior

I'm using the google provider and it works fine with the configuration below

That said, I need to know the identity of our connected user to know which IP address to give him/her later in the openvpn, via a client-connect script.

openvpn-auth-oauth2 is logging this when the user is logged-in : 

time=2024-02-28T17:03:12.635+01:00 level=INFO msg="successful authorization via oauth2" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""
time=2024-02-28T17:03:12.636+01:00 level=INFO msg="accept OpenVPN client cid 21, kid 1" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""

I see that there is no username or subject returned by the oAuth session... Is it normal?

I expect to get some information from google regarding the logged-in user but I have none...

Expected Behavior

I expect openvpn-auth-oauth2 to get an email or name from the oAuth process, that can be then processed by openvpn (example via a client-connect script).

If it's clearly non-standard, feel free to replace this bug to be a feature request <3 and let's talk about it.

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 logs

openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:08.708+01:00 level=INFO msg="new client connection" cid=21 kid=1 common_name=lavar reason=CONNECT session_id="" session_state=""
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:08.708+01:00 level=INFO msg="start pending auth" cid=21 kid=1 common_name=lavar reason=CONNECT session_id="" session_state=""
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:09.227+01:00 level=INFO msg="initialize authorization via oauth2" cid=21 kid=1 common_name=lavar
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:12.635+01:00 level=INFO msg="successful authorization via oauth2" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""
openvpn-auth-oauth2[2165626]: time=2024-02-28T17:03:12.636+01:00 level=INFO msg="accept OpenVPN client cid 21, kid 1" cid=21 kid=1 session_id="" common_name=lavar user.subject="" user.preferred_username=""

openvpn server logs

2024-02-28 17:03:08 us=709129 MANAGEMENT: CMD 'client-pending-auth 21 1 "WEB_AUTH::https://mydomain.com/oauth2/start?state=random" 180'
2024-02-28 17:03:08 us=709179 SENT CONTROL []: 'AUTH_PENDING,timeout 180' (status=1)
2024-02-28 17:03:08 us=709199 SENT CONTROL []: 'INFO_PRE,WEB_AUTH::https://mydomain.com/oauth2/start?state=random' (status=1)
2024-02-28 17:03:08 us=713918 1.2.3.4:41718 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-02-28 17:03:08 us=713977 1.2.3.4:41718 [] Peer Connection Initiated with [AF_INET]1.2.3.4:41718
2024-02-28 17:03:08 us=714167 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'
2024-02-28 17:03:09 us=712546 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'
2024-02-28 17:03:12 us=636130 MANAGEMENT: CMD 'client-auth 21 1'
2024-02-28 17:03:17 us=712955 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'
2024-02-28 17:03:17 us=713020 1.2.3.4:41718 MULTI_sva: pool returned IPv4=10.222.128.2, IPv6=(Not enabled)
Login not found
2024-02-28 17:03:17 us=740091 1.2.3.4:41718 WARNING: Failed running command (--client-connect): external program exited with error status: 1
2024-02-28 17:03:25 us=713523 1.2.3.4:41718 PUSH: Received control message: 'PUSH_REQUEST'

The "Login not found" is from a client-connect script, that receive a complete environment, but no username or email in this environment :/

Anything else?

my openvpn-oauth config is as such : 

CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=xxxx
CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com/.well-known/openid-configuration
CONFIG_OAUTH2_ENDPOINT_AUTH=https://accounts.google.com/o/oauth2/auth
CONFIG_OAUTH2_ENDPOINT_TOKEN=https://oauth2.googleapis.com/token
CONFIG_OAUTH2_CLIENT_ID=xxxx
CONFIG_OAUTH2_CLIENT_SECRET=xxxxx
CONFIG_HTTP_LISTEN=127.0.0.1:9000
CONFIG_HTTP_SECRET=xxxxx
CONFIG_HTTP_BASEURL=https://mydomain.com/
CONFIG_HTTP_ENABLE__PROXY__HEADERS=1
vincib commented 6 months ago

After reading part of the source code, it seems that there is no way to tell openvpn any information about the user that has just been authenticated...

https://github.com/jkroepke/openvpn-auth-oauth2/blob/c721b322d2c437cd1f33313dc8813c6f7af1fe44/internal/openvpn/callbacks.go#L18

the only answer given to openvpn is the original openvpn username (which may be empty)

Am I wrong? Is there any way to give openvpn the identity of the oAuth-authenticated user?

jkroepke commented 6 months ago

I expect to get some information from google regarding the logged-in user but I have none...

That is strange, it looks different at my side (I'm using Google Workspace as well):

time=2024-02-28T17:28:45.214+01:00 level=INFO msg="successful authorization via oauth2" ip=192.168.65.1:51284 cid=1 kid=1 session_id=tuvBvUCjrsaMDjT5 common_name="" idtoken.subject=115662897738804440569 idtoken.email=mail@jkroepke.de idtoken.preferred_username="" user.subject=115662897738804440569 user.preferred_username=""
time=2024-02-28T17:28:45.214+01:00 level=INFO msg="accept OpenVPN client cid 1, kid 1" ip=192.168.65.1:51284 cid=1 kid=1 session_id=tuvBvUCjrsaMDjT5 common_name="" idtoken.subject=115662897738804440569 idtoken.email=mail@jkroepke.de idtoken.preferred_username="" user.subject=115662897738804440569 user.preferred_username=""
time=2024-02-28T17:28:45.807+01:00 level=INFO msg="client established" ip=192.168.65.1:51284 vpn_ip=100.64.0.3 cid=1 common_name="" reason=ESTABLISHED session_id=tuvBvUCjrsaMDjT5 session_state=Initial

The ip fields are new (merged yesterday, but not released yet), But I'm also missing the idtoken log fields on your side. This happens only, if openvpn-auth-oauth2 does not get an IDToken from Google back.

The problem cloud be that you are configure too much. The recommend setting is

CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
CONFIG_OAUTH2_CLIENT_ID=162738495-xxxxx.apps.googleusercontent.com
CONFIG_OAUTH2_CLIENT_SECRET=GOCSPX-xxxxxxxx

and the auto-discovery should do the rest

I expect openvpn-auth-oauth2 to get an email or name from the oAuth process, that can be then processed by openvpn (example via a client-connect script).

+

After reading part of the source code, it seems that there is no way to tell openvpn any information about the user that has just been authenticated...

Correct. The request you are looking for the this (please leave a vote on first post):

There was a recent discussion in yesterdays, here is a summerize:

Using Enterprise-like feature (like WebAuth with SSO) together with native OpenVPN features is combination, which is currently not in Scope of OpenVPN itself. While the feature request is valid, there is not enough attraction to implement it.

The core maintainers says, I should re-implement every feature in openvpn-auth-oauth2 the same way that other enterprise implementation do it.

jkroepke commented 6 months ago

the only answer given to openvpn is the original openvpn username (which may be empty)

Not even that. auth-token-user is only pushed to the OpenVPN client, but not used inside OpenVPN Server.

vincib commented 6 months ago

you are right: since I configured that before the google provider existed, I didn't change anything ...

I reconfigured and tested again : 

openvpn-auth-oauth2[2178688]: time=2024-02-28T17:53:15.603+01:00 level=INFO msg="accept OpenVPN client cid 24, kid 1" cid=24 kid=1 session_id="" common_name=lavar idtoken.subject=118119612884626932668 idtoken.email=benjamin@aaa.octopuce.fr idtoken.preferred_username="" user.subject=118119612884626932668 user.preferred_username=""

it works now, I just have this 118sthg id sent to openvpn, which is not transmitted to client-connect (which confirms your last message above) so the feature request remains :)

thanks for the references to openvpn, I'll read that...

jkroepke commented 6 months ago

so the feature request remains :)

I would like to lose this in favor of #139. The issue is around report the username back to OpenVPN.

If the username is in OpenVPN context, it may can used in client-connect scripts than.

vincib commented 6 months ago

Yes, this request is a duplicate of #139. I close it now unless you have another idea.

Thanks!