Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene] Third party auth code in master
@ 2022-02-18 13:27 Juliusz Chroboczek
  2022-02-18 19:37 ` [Galene] " Juliusz Chroboczek
  0 siblings, 1 reply; 2+ messages in thread
From: Juliusz Chroboczek @ 2022-02-18 13:27 UTC (permalink / raw)
  To: galene

Dear all,

I've just merged the third-party authentication code into master.  If
you're running a small server and are happy with Galene's authentication,
please ignore this mail.  If, on the other hand, you would like to
integrate Galene with an existing authentication system (such as LDAP or
even Unix passwords), read on.

I've written a sample authentication server in Python, since this is the
language that's most likely to be familiar to most system administrators.
You may find it at

    https://github.com/jech/galene-sample-auth-server

Should you prefer a different language, let me know, it should be fairly
trivial to write an auth server in any language that has libraries for
HTTPS, JSON and JWK.

The protocol currently works as follows.  The client consults the group
status, and determines that the group is using token auth.  It sends an
HTTP POST to the auth server with the username and the group location.
The auth server performs authentication, then returns a signed JWK (a
"JWS") that contains the username, the group location, as well as the
permissions granted to the user.  The client then joins the group as
usual, except that it passes the token instead of a password.

This happens here:

  https://github.com/jech/galene/blob/master/static/galene.js#L284
  https://github.com/jech/galene/blob/master/static/protocol.js#L440

Note that the server never sees the password; however, the password goes
through Galene's Javascript code.  A different flow is possible with no
server changes: it should be possible to have a third party website
generate a token and then redirect to Galene, with the token passed in
a URL fragment.  The advantage is that Galene's Javascript never sees the
password, which is a good thing in case the server is corrupted.

Things to do:

  - make it possible to set authServer/authKey globally, not just in
    the group definition file;
  - implement the second flow described above.

-- Juliusz

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-02-18 19:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-18 13:27 [Galene] Third party auth code in master Juliusz Chroboczek
2022-02-18 19:37 ` [Galene] " Juliusz Chroboczek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox