Project

General

Profile

Feature #3377

OAuth2 authentication in captive portal

Added by Thomas NOEL over 3 years ago. Updated 8 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Captive Portal
Target version:
Start date:
12/31/2013
Due date:
% Done:

0%

Estimated time:
20.00 h

Description

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

          O  RADIUS Authentication
             Radius Protocol    
               O  PAP
               O  CHAP_MD5
               O  MSCHAPv1
               O  MSCHAPv2
       O OAuth2 Authentication
             OAuth2 accepted providers
               [ ] Amazon
               [ ] BitLy
               [ ] Box
               [ ] Dailymotion
               [ ] Dropbox
               [ ] Facebook
               [ ] Foursquare
               [ ] GitHub
               [ ] Google
               [ ] Heroku
               [ ] Instagram
               [ ] LinkedIn
               [ ] Microsoft
               [ ] PayPal
               [ ] RunKeeper
               [ ] SoundCloud
               [ ] Vkontakte
               [ ] Yammer
               [ ] Reddit
               [ ] Local1
               [ ] Local2

Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.

Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".

I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.

Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...

History

#1 Updated by Ermal Lu├ži over 3 years ago

Sure go ahead.

#2 Updated by Thomas NOEL over 3 years ago

Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.

Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?

#3 Updated by Chris Buechler over 3 years ago

there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots

#4 Updated by simon mitnick over 2 years ago

Thomas NOEL wrote:

Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.

Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?

Dear All,

I'm sorry if I have wrote in the wrong place...

I write for asking a support in order to include OAuth2 in pfSense CP. I don't catch the point how I can simulate on virtual environment the callback URI with private IP addresses?

Do you know some workaround for having (i.e https://cpfsense:8001/index.php as valid callback URI.

(pfsense= 192.100.xxx.xxx)

Error message by Google OAuth2 Login:

Invalid parameter value for redirect_uri: Non-public domains not allowed: https://pfsense:8001/index.php

I'm starting my project from https://github.com/entrouvert/pfsense/tree/RELENG_2_1 but I'm not able to test in virtualbox!
Any help is appreciate.
cheers
Simon

#5 Updated by bamidele Amire almost 2 years ago

Chris Buechler wrote:

there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots

Pls can I get a link to download an ISO that has the oauth option for authentication?

#6 Updated by Cleber Ronaldo 8 months ago

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

[...]

Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.

Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".

I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.

Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...

News about this topic???

#7 Updated by Jim Thompson 8 months ago

  • Assignee set to Jim Thompson
  • Target version changed from Future to 2.4.0

Cleber Ronaldo wrote:

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

[...]

Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.

Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".

I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.

Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...

News about this topic???

Looks straight-forward to add. Just ran across this.

#8 Updated by Kristian Junkov 8 months ago

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.

Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)

Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!

Best regards
Kristian

#9 Updated by Jim Thompson 8 months ago

Kristian Junkov wrote:

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.

Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)

Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!

Best regards
Kristian

My preference is to keep this limited to CP for now.

That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.

#10 Updated by Kristian Junkov 8 months ago

My preference is to keep this limited to CP for now.

That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.

Thanks! I have made a separate feature request here: https://redmine.pfsense.org/issues/6742

BR Kristian

Also available in: Atom PDF