From: Juliusz Chroboczek <jch@irif.fr>
To: galene@lists.galene.org
Subject: [Galene] Third party auth code in master
Date: Fri, 18 Feb 2022 14:27:38 +0100	[thread overview]
Message-ID: <87ley8e245.wl-jch@irif.fr> (raw)
Dear all,
I've just merged the third-party authentication code into master.  If
you're running a small server and are happy with Galene's authentication,
please ignore this mail.  If, on the other hand, you would like to
integrate Galene with an existing authentication system (such as LDAP or
even Unix passwords), read on.
I've written a sample authentication server in Python, since this is the
language that's most likely to be familiar to most system administrators.
You may find it at
    https://github.com/jech/galene-sample-auth-server
Should you prefer a different language, let me know, it should be fairly
trivial to write an auth server in any language that has libraries for
HTTPS, JSON and JWK.
The protocol currently works as follows.  The client consults the group
status, and determines that the group is using token auth.  It sends an
HTTP POST to the auth server with the username and the group location.
The auth server performs authentication, then returns a signed JWK (a
"JWS") that contains the username, the group location, as well as the
permissions granted to the user.  The client then joins the group as
usual, except that it passes the token instead of a password.
This happens here:
  https://github.com/jech/galene/blob/master/static/galene.js#L284
  https://github.com/jech/galene/blob/master/static/protocol.js#L440
Note that the server never sees the password; however, the password goes
through Galene's Javascript code.  A different flow is possible with no
server changes: it should be possible to have a third party website
generate a token and then redirect to Galene, with the token passed in
a URL fragment.  The advantage is that Galene's Javascript never sees the
password, which is a good thing in case the server is corrupted.
Things to do:
  - make it possible to set authServer/authKey globally, not just in
    the group definition file;
  - implement the second flow described above.
-- Juliusz
next             reply	other threads:[~2022-02-18 13:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-18 13:27 Juliusz Chroboczek [this message]
2022-02-18 19:37 ` [Galene] " Juliusz Chroboczek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox
  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
  List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):
  git send-email \
    --in-reply-to=87ley8e245.wl-jch@irif.fr \
    --to=jch@irif.fr \
    --cc=galene@lists.galene.org \
    /path/to/YOUR_REPLY
  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
  Be sure your reply has a Subject: header at the top and a blank line
  before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox