OpenConnect folks, TL;DR: What are your thoughts on adding support for custom authentication in the ocserv (OpenConnect server)? Would it be acceptable to add a new plug-able auth module to src/auth?
Details: My team (Microsoft Intune) is looking to add support for authenticating to ocserv using the OpenID Connect (OIDC) protocol (see https://openid.net/connect/). This would entail a new HTTP auth scheme / HTTP header that would look something like this: Authorization: Bearer eyJ0e...FipaZ31iPZ1pA. We want to make sure we align with the development team's long term plans around authentication and authorization and would prefer to contribute any changes we make back to the community. There are two interrelated sets of features we aim to add to the product: 1) Support for authenticating a user/device based on the possession of a bearer token. 2) The ability to perform dynamic authorization checks based on the identity of the user and device (things like checking if the device is MDM managed / compliant with policy etc). The simplest approach for us would be to implement a plugin auth module that performs a dlopen on a .so and forwards all of the functions in auth_mod_st to the loaded module. We can then add our custom logic to the plugin Would this be an acceptable approach? Our thinking is that this would give the greatest benefit as other folks could then implement additional auth schemes with-out modifying ocserv further. Note: We did look at using Linux PAM, but it has limits on the length of the authentication token that can be passed, which makes it incompatible with OIDC. Regards, Alan Jowett ------------------------------------------------------------------------------- More background: Microsoft Intune is a Mobile Device Management (MDM) service that allows administrators to deploy policies to mobile devices, including policies related to VPN profiles. One of the key feedbacks we have received from our customers is that deploying a VPN solution is often complicated by the need to also deploy PKI (either via SCEP or similar certificate protocols). If we can add support for OpenID Connect to various VPN products, we can significantly reduce the effort required to deploy a VPN solution (given that the user has to authenticate to the Azure Active Directory during the MDM enrollment). _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
