From: Juliusz Chroboczek <jch@irif.fr> To: galene@lists.galene.org Subject: [Galene] Third party auth code in master Date: Fri, 18 Feb 2022 14:27:38 +0100 [thread overview] Message-ID: <87ley8e245.wl-jch@irif.fr> (raw) Dear all, I've just merged the third-party authentication code into master. If you're running a small server and are happy with Galene's authentication, please ignore this mail. If, on the other hand, you would like to integrate Galene with an existing authentication system (such as LDAP or even Unix passwords), read on. I've written a sample authentication server in Python, since this is the language that's most likely to be familiar to most system administrators. You may find it at https://github.com/jech/galene-sample-auth-server Should you prefer a different language, let me know, it should be fairly trivial to write an auth server in any language that has libraries for HTTPS, JSON and JWK. The protocol currently works as follows. The client consults the group status, and determines that the group is using token auth. It sends an HTTP POST to the auth server with the username and the group location. The auth server performs authentication, then returns a signed JWK (a "JWS") that contains the username, the group location, as well as the permissions granted to the user. The client then joins the group as usual, except that it passes the token instead of a password. This happens here: https://github.com/jech/galene/blob/master/static/galene.js#L284 https://github.com/jech/galene/blob/master/static/protocol.js#L440 Note that the server never sees the password; however, the password goes through Galene's Javascript code. A different flow is possible with no server changes: it should be possible to have a third party website generate a token and then redirect to Galene, with the token passed in a URL fragment. The advantage is that Galene's Javascript never sees the password, which is a good thing in case the server is corrupted. Things to do: - make it possible to set authServer/authKey globally, not just in the group definition file; - implement the second flow described above. -- Juliusz
next reply other threads:[~2022-02-18 13:27 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-02-18 13:27 Juliusz Chroboczek [this message] 2022-02-18 19:37 ` [Galene] " Juliusz Chroboczek
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=87ley8e245.wl-jch@irif.fr \ --to=jch@irif.fr \ --cc=galene@lists.galene.org \ --subject='Re: [Galene] Third party auth code in master' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox