From: Juliusz Chroboczek <jch@irif.fr>
To: galene@lists.galene.org
Subject: [Galene] Authorisation portal example
Date: Fri, 29 Apr 2022 13:29:55 +0200 [thread overview]
Message-ID: <87zgk4m8jw.wl-jch@irif.fr> (raw)
I took the time last night to update the sample auth server with the
portal flow. (I'm sure it has a proper name in OAuth2, but I've tried
multiple times to read the spec -- and failed.)
https://github.com/jech/galene-sample-auth-server
The portal flow is a solution to the problem of providing a custom login
interface without editing Galene's HTML code. Due to a bug in 0.5.3,
you'll need to either upgrade to the current head or set "allow-anonymous"
in the group config file in order to use that flow.
Here's a summary of Galene's authorisation flows.
1. Native auth
The user connects to Galene and enters their password. The Galene's
client connects to Galene's server and sends their password in clear (over
TLS).
Pros: - no extra pieces that can break;
- easy to understand.
Cons: - the password is exposed to both the client and the server;
- changing the UI required editing Galene's HTML.
2. Auth server
The user connects to Galene and enters their password. Galene's client
connects to the server, grabs a token, then connects to Galene's server.
Pros: - the auth server only does auth;
- the password is not exposed to Galene's server.
Cons: - the password is exposed to Galene's Javascript code;
- changing the UI required editing Galene's HTML.
3. Auth portal
The user connects to a third-party portal and enters their password.
Portal generates a token, then redirects to Galene.
Pros: - the password is not exposed to Galene's client or server;
- the auth portal provides a full user interface, which can be
customised without editing Galene's HTML;
- the auth portal can be implemented within another web application,
which makes it easy to redirect from e.g. a chat server to Galene.
Cons: - the auth portal needs to provide a user interface;
- the token is temporarily stored in the browser's history, and
might therefore leak, for example if Galene is down.
-- Juliusz
reply other threads:[~2022-04-29 11:29 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.galene.org/postorius/lists/galene.lists.galene.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zgk4m8jw.wl-jch@irif.fr \
--to=jch@irif.fr \
--cc=galene@lists.galene.org \
--subject='Re: [Galene] Authorisation portal example' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox