From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id DCF5192F3B8 for ; Fri, 18 Feb 2022 14:27:40 +0100 (CET) Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 21IDReDX011295 for ; Fri, 18 Feb 2022 14:27:40 +0100 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 63BE911CB1 for ; Fri, 18 Feb 2022 14:27:40 +0100 (CET) X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id fAbW-1T4NnYG for ; Fri, 18 Feb 2022 14:27:38 +0100 (CET) Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 3960E11CAF for ; Fri, 18 Feb 2022 14:27:38 +0100 (CET) Date: Fri, 18 Feb 2022 14:27:38 +0100 Message-ID: <87ley8e245.wl-jch@irif.fr> From: Juliusz Chroboczek To: galene@lists.galene.org User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Fri, 18 Feb 2022 14:27:40 +0100 (CET) X-Miltered: at korolev with ID 620F9ECC.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 620F9ECC.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 620F9ECC.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham Message-ID-Hash: EQ5LFLEOCO5P6DRJQ5FCN456Q6KISV25 X-Message-ID-Hash: EQ5LFLEOCO5P6DRJQ5FCN456Q6KISV25 X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.5 Precedence: list Subject: [Galene] Third party auth code in master List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Dear all, I've just merged the third-party authentication code into master. If you're running a small server and are happy with Galene's authentication, please ignore this mail. If, on the other hand, you would like to integrate Galene with an existing authentication system (such as LDAP or even Unix passwords), read on. I've written a sample authentication server in Python, since this is the language that's most likely to be familiar to most system administrators. You may find it at https://github.com/jech/galene-sample-auth-server Should you prefer a different language, let me know, it should be fairly trivial to write an auth server in any language that has libraries for HTTPS, JSON and JWK. The protocol currently works as follows. The client consults the group status, and determines that the group is using token auth. It sends an HTTP POST to the auth server with the username and the group location. The auth server performs authentication, then returns a signed JWK (a "JWS") that contains the username, the group location, as well as the permissions granted to the user. The client then joins the group as usual, except that it passes the token instead of a password. This happens here: https://github.com/jech/galene/blob/master/static/galene.js#L284 https://github.com/jech/galene/blob/master/static/protocol.js#L440 Note that the server never sees the password; however, the password goes through Galene's Javascript code. A different flow is possible with no server changes: it should be possible to have a third party website generate a token and then redirect to Galene, with the token passed in a URL fragment. The advantage is that Galene's Javascript never sees the password, which is a good thing in case the server is corrupted. Things to do: - make it possible to set authServer/authKey globally, not just in the group definition file; - implement the second flow described above. -- Juliusz