Project

General

Profile

Actions

Feature #3377

open

OAuth2 authentication in captive portal

Added by Thomas NOEL almost 11 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Captive Portal
Target version:
Start date:
12/31/2013
Due date:
% Done:

0%

Estimated time:
20.00 h
Plus Target Version:
Release Notes:

Description

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

          O  RADIUS Authentication
             Radius Protocol    
               O  PAP
               O  CHAP_MD5
               O  MSCHAPv1
               O  MSCHAPv2
       O OAuth2 Authentication
             OAuth2 accepted providers
               [ ] Amazon
               [ ] BitLy
               [ ] Box
               [ ] Dailymotion
               [ ] Dropbox
               [ ] Facebook
               [ ] Foursquare
               [ ] GitHub
               [ ] Google
               [ ] Heroku
               [ ] Instagram
               [ ] LinkedIn
               [ ] Microsoft
               [ ] PayPal
               [ ] RunKeeper
               [ ] SoundCloud
               [ ] Vkontakte
               [ ] Yammer
               [ ] Reddit
               [ ] Local1
               [ ] Local2

Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.

Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".

I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.

Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...

Actions #1

Updated by Ermal Luçi almost 11 years ago

Sure go ahead.

Actions #2

Updated by Thomas NOEL almost 11 years ago

Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.

Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?

Actions #3

Updated by Chris Buechler almost 11 years ago

there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots

Actions #4

Updated by simon mitnick almost 10 years ago

Thomas NOEL wrote:

Here is a proof of concept, for a OAuth2 captive portal authentication with Google accounts :
https://github.com/entrouvert/pfsense/tree/RELENG_2_1
The README.md file explains how to activate it.

Note : we have made changes on the RELENG_2_1 branch, because we can test them on pfSense 2.1 ISO. Is there a pfSense "master" ISO (future 2.2) somewhere ?

Dear All,

I'm sorry if I have wrote in the wrong place...

I write for asking a support in order to include OAuth2 in pfSense CP. I don't catch the point how I can simulate on virtual environment the callback URI with private IP addresses?

Do you know some workaround for having (i.e https://cpfsense:8001/index.php as valid callback URI.

(pfsense= 192.100.xxx.xxx)

Error message by Google OAuth2 Login:

Invalid parameter value for redirect_uri: Non-public domains not allowed: https://pfsense:8001/index.php

I'm starting my project from https://github.com/entrouvert/pfsense/tree/RELENG_2_1 but I'm not able to test in virtualbox!
Any help is appreciate.
cheers
Simon

Actions #5

Updated by bamidele Amire over 9 years ago

Chris Buechler wrote:

there will be publicly-available 2.2 snapshots in the not too distant future. At this point, I think you might be ok running master code on a 2.1 install. If you gitsync to master, that may work fine, but I'd do that in a VM you can blow away and reinstall just in case. https://doc.pfsense.org/index.php/Updating_pfSense_code_between_snapshots

Pls can I get a link to download an ISO that has the oauth option for authentication?

Actions #6

Updated by Cleber Ronaldo over 8 years ago

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

[...]

Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.

Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".

I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.

Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...

News about this topic???

Actions #7

Updated by Jim Thompson over 8 years ago

  • Assignee set to Jim Thompson
  • Target version changed from Future to 2.4.0

Cleber Ronaldo wrote:

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

[...]

Local1, Local2, ... are local providers found in /usr/local/oauth2/local-providers/, for example.

Of course, there is other parameters (key/secret for each oauth2 provider). And we have to open HTTPS for all selected OAuth2 providers -- tat is not very hard with "allowed hostnames".

I think that https://github.com/Lusitanian/PHPoAuthLib could be a good OAuth2 implementation to use. Add local providers is easy with this module.

Do you think such a feature is a good idea ? If there is no rebuttal, I can write a first proposal for a patch...

News about this topic???

Looks straight-forward to add. Just ran across this.

Actions #8

Updated by Kristian Junkov over 8 years ago

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.

Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)

Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!

Best regards
Kristian

Actions #9

Updated by Jim Thompson over 8 years ago

Kristian Junkov wrote:

Thomas NOEL wrote:

In Captive Portal we have native, ldap and radius authentication. Today, a lot of authentication systems provide OAuth2 backend. As CP authenticate users trought web, it can be a OAuth2 client.

My idea is to add a new "OAuth2 Authentication" after "RADIUS Authentication" on CP configuration.

Is there any reason why it should only be limited to Captive Portal? I would love to use my Azure AD via OAuth2 for OpenVPN. I have been looking into a oauth2 perl module for freeradius (https://github.com/jimdigriz/freeradius-oauth2-perl) but being able to use oauth directly as a backend if pfsense would be even better.

Another thing, if OAuth is added as a backend userdb for pfsense, would it be possible to enable the freeradius server in pfsense to do the same? (Most network appliances only speak radius e.g. access points, managed switches etc.)

Really looking forward for any updates on this feature. Being able to utilize the cloud (user database) for pfsense would really be a quality of life improvement!

Best regards
Kristian

My preference is to keep this limited to CP for now.

That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.

Actions #10

Updated by Kristian Junkov over 8 years ago

My preference is to keep this limited to CP for now.

That said, your idea has merit, and I'd appreciate it if you opened a separate feature request for same.

Thanks! I have made a separate feature request here: https://redmine.pfsense.org/issues/6742

BR Kristian

Actions #11

Updated by Jim Pingle over 7 years ago

  • Target version changed from 2.4.0 to 2.4.1
Actions #12

Updated by Jim Pingle about 7 years ago

  • Target version changed from 2.4.1 to 2.4.2
Actions #13

Updated by Jim Pingle about 7 years ago

  • Target version changed from 2.4.2 to 2.4.3
Actions #14

Updated by Ponvannan Sankaran about 7 years ago

is there further developments on the above feature radius with oauth backend to support google apps id it will be very nice feature i will give +1

Actions #15

Updated by Jim Pingle almost 7 years ago

  • Target version changed from 2.4.3 to 2.4.4
Actions #16

Updated by Anonymous over 6 years ago

  • Target version changed from 2.4.4 to 48
Actions #17

Updated by Jim Pingle almost 6 years ago

  • Target version changed from 48 to 2.5.0
Actions #18

Updated by Anonymous about 4 years ago

  • Target version changed from 2.5.0 to Future
Actions #19

Updated by Tom Peeters about 2 years ago

We would like to setup a captive portal with an authentication server that supports type oauth2. At the moment it's only possible to choose between LDAP or RADIUS.
If that could be possible, an integration with Office 365 or Google Workspace or ... is just a few clicks away.
Vote +1

Actions

Also available in: Atom PDF