RE: [EXTERNAL] Re: Patch to add support to the OpenConnect client to send RFC6750 style bearer tokens during establishment of the TLS tunnel.

make sense? -Original Message- From: openconnect-devel On Behalf Of Alan Jowett Sent: Monday, March 9, 2020 7:24 PM To: Daniel Lenski ; David Woodhouse Cc: openconnect-devel@lists.infradead.org Subject: RE: [EXTERNAL] Re: Patch to add support to the OpenConnect client to send RFC6750

RE: [EXTERNAL] Re: Patch to add support to the OpenConnect client to send RFC6750 style bearer tokens during establishment of the TLS tunnel.

Thanks for the feedback. I have mostly been focused on the ocserv side of this change. Now that the server side is in ocserv, I will resume working on this. -Original Message- From: Daniel Lenski Sent: Monday, March 9, 2020 7:03 PM To: David Woodhouse Cc: Alan Jowett ; openconnect

https://gitlab.com/openconnect/ocserv/issues/258 / https://gitlab.com/openconnect/ocserv/-/merge_requests/145 - Measure and report ocserv latency

OpenConnect folks, Created issue and merge request to track this. Background: When deploying OpenConnect server in an environment that supports automatic scaling, there is a need to quantify the health of a server instance to determine when to add or remove nodes. A key health metric is the lat

ocserv - BanIP and client's behind a NAT

this scenario? What are the recommended settings for protecting ocserv from potential DoS scenarios? Regards, Alan Jowett ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel

Merge request ready for review - Add support for RFC6750 bearer tokens to ocserv to permit the validation of OpenID Connect auth tokens

https://gitlab.com/openconnect/ocserv/-/merge_requests/128 I believe this feature is now at the point where it makes sense to start the process of reviewing this merge request. The change includes the new bearer auth module as well as a set of tests to verify correct handling of tokens. Note: T

RE: [EXTERNAL] OCserv hardening

a volatile filesystem location). -Original Message- From: Nikos Mavrogiannopoulos Sent: Monday, February 3, 2020 7:09 AM To: openconnect-devel@lists.infradead.org Cc: Alan Jowett Subject: [EXTERNAL] OCserv hardening > Quick question for folks on this list. > During our security

OCserv hardening

Quick question for folks on this list. During our security review of OpenConnect server, a couple of the question were raised: 1) Can we drop privileges from the ocserv-main process after forking the ocserv-sm? a. Looking through the code, I don't see any obvious reason why not, but I

RE: [EXTERNAL] Re: Patch to add support to the OpenConnect client to send RFC6750 style bearer tokens during establishment of the TLS tunnel.

that the OIDC token (encoded as a JWT) can be large, especially if the group claim is added, I thought the best option would be 2.1 as some HTTP servers have issues with very long URI's. None of these options seem to patch what GlobalProtect is doing though. Regards, Alan Jowett -Ori

Patch to add support to the OpenConnect client to send RFC6750 style bearer tokens during establishment of the TLS tunnel.

working on the server side changes, but writing the tests would be easier if we can use the stock OpenConnect client. Please let me know if there are any questions about this. Regards, Alan Jowett Signed-off-by: Alan TG Jowett rfc6750_auth_header.patch Description: rfc6750_auth_header.patch

Adding support for custom authentication protocols using bearer tokens / OpenID Connect

using Linux PAM, but it has limits on the length of the authentication token that can be passed, which makes it incompatible with OIDC. Regards, Alan Jowett --- More background: Microsoft Intune is a Mobile Device Manag