From: Juliusz Chroboczek <jch@irif.fr> To: galene@lists.galene.org Subject: [Galene] Authorisation portal example Date: Fri, 29 Apr 2022 13:29:55 +0200 [thread overview] Message-ID: <87zgk4m8jw.wl-jch@irif.fr> (raw) I took the time last night to update the sample auth server with the portal flow. (I'm sure it has a proper name in OAuth2, but I've tried multiple times to read the spec -- and failed.) https://github.com/jech/galene-sample-auth-server The portal flow is a solution to the problem of providing a custom login interface without editing Galene's HTML code. Due to a bug in 0.5.3, you'll need to either upgrade to the current head or set "allow-anonymous" in the group config file in order to use that flow. Here's a summary of Galene's authorisation flows. 1. Native auth The user connects to Galene and enters their password. The Galene's client connects to Galene's server and sends their password in clear (over TLS). Pros: - no extra pieces that can break; - easy to understand. Cons: - the password is exposed to both the client and the server; - changing the UI required editing Galene's HTML. 2. Auth server The user connects to Galene and enters their password. Galene's client connects to the server, grabs a token, then connects to Galene's server. Pros: - the auth server only does auth; - the password is not exposed to Galene's server. Cons: - the password is exposed to Galene's Javascript code; - changing the UI required editing Galene's HTML. 3. Auth portal The user connects to a third-party portal and enters their password. Portal generates a token, then redirects to Galene. Pros: - the password is not exposed to Galene's client or server; - the auth portal provides a full user interface, which can be customised without editing Galene's HTML; - the auth portal can be implemented within another web application, which makes it easy to redirect from e.g. a chat server to Galene. Cons: - the auth portal needs to provide a user interface; - the token is temporarily stored in the browser's history, and might therefore leak, for example if Galene is down. -- Juliusz
reply other threads:[~2022-04-29 11:29 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/ * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=87zgk4m8jw.wl-jch@irif.fr \ --to=jch@irif.fr \ --cc=galene@lists.galene.org \ --subject='Re: [Galene] Authorisation portal example' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox