My main request for this issue is to have OpenID Connect authentication support for Chisel, but a generic system to integrate with other authentication systems (.e.g SAML, or simple OAuth) is also great to have. Some benefits:
Eliminate the need to store plain text passwords in the JSON authfile
Make Chisel more suitable for enterprise environment, where centralized identity management is a must
Design
The users.json file's schema can be changed to allow only username (omit password), or even better, extended to support other common claims in the received JWT token like email, group (pretty much a dictionary of claims -> target regex).
Chisel server can have an additional flag to indicate the redirect URL for external authentication, or the information can be also written in the auth configuration.
Workflow
Chisel client try to connect to Chisel HTTP server
Chisel server redirects the connection to the configured OpenID provider backend, passing the OpenID ClientID with the request
The user completes the log in process with the OpenID provider
Chisel server verifies the ID token, compares it with the map in authfile to allow the user access to the backend server
Alternatives
A few TCP-over-HTTP tunnel implementations exist that support plugging into an Identity Authentication Proxy:
My main request for this issue is to have OpenID Connect authentication support for Chisel, but a generic system to integrate with other authentication systems (.e.g SAML, or simple OAuth) is also great to have. Some benefits:
Design
The
users.json
file's schema can be changed to allow only username (omit password), or even better, extended to support other common claims in the received JWT token likeemail
,group
(pretty much a dictionary of claims -> target regex).Chisel server can have an additional flag to indicate the redirect URL for external authentication, or the information can be also written in the auth configuration.
Workflow
Alternatives
A few TCP-over-HTTP tunnel implementations exist that support plugging into an Identity Authentication Proxy: