[Galene] Authorisation portal example

Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed

* [Galene] Authorisation portal example
@ 2022-04-29 11:29 Juliusz Chroboczek
  0 siblings, 0 replies; only message in thread
From: Juliusz Chroboczek @ 2022-04-29 11:29 UTC (permalink / raw)
  To: galene

I took the time last night to update the sample auth server with the
portal flow.  (I'm sure it has a proper name in OAuth2, but I've tried
multiple times to read the spec -- and failed.)

  https://github.com/jech/galene-sample-auth-server

The portal flow is a solution to the problem of providing a custom login
interface without editing Galene's HTML code.  Due to a bug in 0.5.3,
you'll need to either upgrade to the current head or set "allow-anonymous"
in the group config file in order to use that flow.

Here's a summary of Galene's authorisation flows.

1. Native auth

The user connects to Galene and enters their password.  The Galene's
client connects to Galene's server and sends their password in clear (over
TLS).

Pros: - no extra pieces that can break;
      - easy to understand.

Cons: - the password is exposed to both the client and the server;
      - changing the UI required editing Galene's HTML.

2. Auth server

The user connects to Galene and enters their password.  Galene's client
connects to the server, grabs a token, then connects to Galene's server.

Pros: - the auth server only does auth;
      - the password is not exposed to Galene's server.

Cons: - the password is exposed to Galene's Javascript code;
      - changing the UI required editing Galene's HTML.

3. Auth portal

The user connects to a third-party portal and enters their password.
Portal generates a token, then redirects to Galene.

Pros: - the password is not exposed to Galene's client or server;
      - the auth portal provides a full user interface, which can be
        customised without editing Galene's HTML;
      - the auth portal can be implemented within another web application,
        which makes it easy to redirect from e.g. a chat server to Galene.

Cons: - the auth portal needs to provide a user interface;
      - the token is temporarily stored in the browser's history, and
        might therefore leak, for example if Galene is down.

-- Juliusz

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-04-29 11:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-29 11:29 [Galene] Authorisation portal example Juliusz Chroboczek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox