Re: [pve-devel] OAuth2 Authentication

2018-03-28 Thread Andreas Steinel 
Hi Dietmar,

On Wed, Mar 28, 2018 at 5:17 PM, Dietmar Maurer  wrote:
> I though OAuth2 is not even a authentication protocol, so how do you
> want to implement authentication on top of OAuth2? OpenID connect?

Both should work (at least with GitLab). I just tried - for another
project - the OAuth2 authentication based on OpenID with Apache
(mod_auth_openidc, [1]) to GitLab's OpenID compatibility layer to its
OAuth2 and documented it in the project's wiki. It was - in the end -
very straight-forward and simple to set up.

I'm going to have a look at the available perl modules for OAuth2 and
I hope it'll be a drop-in-replacement for our current LDAP-backed
authentication on PVE. OAuth2 authentication normally works similar to
this:

- client app has a unique ID and secret that has to be registered with
the OAuth2 server, as well a redirect-back url. This authorised the
client app on the authentication server.
- client app just redirects to the authentication server in which the
user will authenticate (or already has) and gets redirected back to
client app with e.g. the username and a positive response
- client app now knows the authenticated users name and can proceed
- authorisation has to be done on the client, so no further things
like groups etc. are used, but it does exactly what is needed for PVE
(or at least what I understand what is required for LDAP)

Best,
Andreas

[1] https://github.com/zmartzone/mod_auth_openidc/wiki
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] OAuth2 Authentication

2018-03-28 Thread Dietmar Maurer 
Hi Andreas,

> Is OAuth2 on the list of features you want to have in PVE and if so,
> is someone working on it?
> We're migration step-by-step every service in our infrastructure
> towards OAuth2 and it would be great to authenticate against OAuth2
> too.

I though OAuth2 is not even a authentication protocol, so how do you
want to implement authentication on top of OAuth2? OpenID connect?

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] OAuth2 Authentication

2018-03-28 Thread Andreas Steinel 
Hi,

Is OAuth2 on the list of features you want to have in PVE and if so,
is someone working on it?
We're migration step-by-step every service in our infrastructure
towards OAuth2 and it would be great to authenticate against OAuth2
too.

Best,
Lnxbil / Andreas Steinel
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel