Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
From: Juliusz Chroboczek <>
Subject: [Galene] Third party auth code in master
Date: Fri, 18 Feb 2022 14:27:38 +0100	[thread overview]
Message-ID: <> (raw)

Dear all,

I've just merged the third-party authentication code into master.  If
you're running a small server and are happy with Galene's authentication,
please ignore this mail.  If, on the other hand, you would like to
integrate Galene with an existing authentication system (such as LDAP or
even Unix passwords), read on.

I've written a sample authentication server in Python, since this is the
language that's most likely to be familiar to most system administrators.
You may find it at

Should you prefer a different language, let me know, it should be fairly
trivial to write an auth server in any language that has libraries for

The protocol currently works as follows.  The client consults the group
status, and determines that the group is using token auth.  It sends an
HTTP POST to the auth server with the username and the group location.
The auth server performs authentication, then returns a signed JWK (a
"JWS") that contains the username, the group location, as well as the
permissions granted to the user.  The client then joins the group as
usual, except that it passes the token instead of a password.

This happens here:

Note that the server never sees the password; however, the password goes
through Galene's Javascript code.  A different flow is possible with no
server changes: it should be possible to have a third party website
generate a token and then redirect to Galene, with the token passed in
a URL fragment.  The advantage is that Galene's Javascript never sees the
password, which is a good thing in case the server is corrupted.

Things to do:

  - make it possible to set authServer/authKey globally, not just in
    the group definition file;
  - implement the second flow described above.

-- Juliusz

             reply	other threads:[~2022-02-18 13:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-18 13:27 Juliusz Chroboczek [this message]
2022-02-18 19:37 ` [Galene] " Juliusz Chroboczek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \
    --subject='Re: [Galene] Third party auth code in master' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox