* [Galene] Authorisation portal example
@ 2022-04-29 11:29 Juliusz Chroboczek
0 siblings, 0 replies; only message in thread
From: Juliusz Chroboczek @ 2022-04-29 11:29 UTC (permalink / raw)
To: galene
I took the time last night to update the sample auth server with the
portal flow. (I'm sure it has a proper name in OAuth2, but I've tried
multiple times to read the spec -- and failed.)
https://github.com/jech/galene-sample-auth-server
The portal flow is a solution to the problem of providing a custom login
interface without editing Galene's HTML code. Due to a bug in 0.5.3,
you'll need to either upgrade to the current head or set "allow-anonymous"
in the group config file in order to use that flow.
Here's a summary of Galene's authorisation flows.
1. Native auth
The user connects to Galene and enters their password. The Galene's
client connects to Galene's server and sends their password in clear (over
TLS).
Pros: - no extra pieces that can break;
- easy to understand.
Cons: - the password is exposed to both the client and the server;
- changing the UI required editing Galene's HTML.
2. Auth server
The user connects to Galene and enters their password. Galene's client
connects to the server, grabs a token, then connects to Galene's server.
Pros: - the auth server only does auth;
- the password is not exposed to Galene's server.
Cons: - the password is exposed to Galene's Javascript code;
- changing the UI required editing Galene's HTML.
3. Auth portal
The user connects to a third-party portal and enters their password.
Portal generates a token, then redirects to Galene.
Pros: - the password is not exposed to Galene's client or server;
- the auth portal provides a full user interface, which can be
customised without editing Galene's HTML;
- the auth portal can be implemented within another web application,
which makes it easy to redirect from e.g. a chat server to Galene.
Cons: - the auth portal needs to provide a user interface;
- the token is temporarily stored in the browser's history, and
might therefore leak, for example if Galene is down.
-- Juliusz
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-04-29 11:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-29 11:29 [Galene] Authorisation portal example Juliusz Chroboczek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox