Feature request: support external authentication system

[folliehiyuki]

My main request for this issue is to have OpenID Connect authentication support for Chisel, but a generic system to integrate with other authentication systems (.e.g SAML, or simple OAuth) is also great to have. Some benefits:

• Eliminate the need to store plain text passwords in the JSON authfile
• Make Chisel more suitable for enterprise environment, where centralized identity management is a must

Design

The users.json file's schema can be changed to allow only username (omit password), or even better, extended to support other common claims in the received JWT token like email, group (pretty much a dictionary of claims -> target regex).

Chisel server can have an additional flag to indicate the redirect URL for external authentication, or the information can be also written in the auth configuration.

Workflow

• Chisel client try to connect to Chisel HTTP server
• Chisel server redirects the connection to the configured OpenID provider backend, passing the OpenID ClientID with the request
• The user completes the log in process with the OpenID provider
• Chisel server verifies the ID token, compares it with the map in authfile to allow the user access to the backend server

Alternatives

A few TCP-over-HTTP tunnel implementations exist that support plugging into an Identity Authentication Proxy:

• Google Cloud's IAP
• Pomerium

[snimavat]

+1 for ability to have database or redis or ability to write custom authenticator